In your step 3, choose 'Apply to descendant objects only'. To check this has given correct permissions, you can look at the permissions on a DNS record - you will see this new permission showing as inherited.
Please note also, if following the method above, the permission to exclude is 'delete' (rather than delete all child objects').
Also consider that modify is just as destructive as delete, and depending on your use case you might actually need delete.