Is there a way to lock library contents so they cannot be moved by anyone without first unlocking them or something like that?
You can do it with ACL, but there is a steep learning curve if you are not familiar with permission modelling.
"Move" is a permission type that can be applied through ACL rules, which can be limited to a particular object type, state and user/group.
Rules added to the Library default domain will only apply to that library.
If necessary you can create the rules in a sub domain of the library, and have those rules only apply to certain folders which are allocated to that sub domain. Can get tricky as permissions are inherited from parent domains, and are generally additive. I would avoid using deny rules if possible.
You also need read/modify permissions on the cabinet and folder that you want to move into. So you could use this to your advantage, as-in you have permission to move it (in theory) but you don't have permission to put anyway else. This part of the permission model cannot respond to the state of the object being moved however.
Easiest way by far is to make that Library "Private." This removes inheritance of any permissions from higher contexts (e.g. Org or Site level).
Delete all ACL's from this Library (there are a zillion) except those for Manager, and carefully add back for all users:
- Read for cabinet
- Read for subFolder
- Read, Download for product data (e.g. EPMDocument, WTDocument), all states
- Read for WTPart if used, all states
Can refine by only applying Read for whatever state you use for Released and then only allow a Librarian Role to see work in progress if desired.