The 'User Can Disable Password' policy was only available to users on OS 3.6. In order to do what you want with OS 4.x, which I assume is a CYOA-type policy (encourage the password to protect confidential data by enabling it by default, but give the user the ability to remove it with the knowledge that they are doing so against corporate suggested policies, or something like that), is to create one policy group with 'Password Required' set to TRUE and another with it set to FALSE (or just not set). You'll need to add them to the first policy initially, and once they have completed an enterprise activation (or simply had policy pushed down to their handheld), add them to the second policy group. Once its been pushed and applied, they will now have the option to disable the password. If you have content protection enabled by default, their disabling of the password will result in a disabling of content protection, as well (password protection is required for that function).
It's a pain in the ass to manage - we have it implemented the same way at my company. Luckily, with BlackBerry Resource Kit 4.0.3, they added the ability to change a user's policy membership via command-line. Unluckily, doing so results in a membership change on the handheld and in the database, but the GUI still shows the former policy group. And not to mention that there is no BRK for 4.1 (although role-based administration is in place now).
Hope that helps. Sorry for the long-winded reply.