Loading the admin panel in the browser, and loading the admin panel inside an iframe are the same thing. You can’t block one without blocking the other unless you differentiate them somehow.
You would need to make the code that stops users accessing the admin panel look for some identifier, e.g.:
if the URL has iframe=true in the url
don't restrict the admin panel
The specifics of how to do this are dependent on the code in the theme that restricts admins.
But this will then have the problem that any URLs clicked inside the iframe will be restricted too, along with admin AJAX, but that depends on how your admin restriction code works
My recommendation is not to bother. To do this properly you’ll also need to ask the following questions:
- How do I hide the admin toolbar?
- How do I hide the admin menu?
- How do I grant plugin activation/deactivation privileges to authors?
Instead, I recommend you ask those 2 questions, and instead do the following:
- Set your settings pages to require admin privileges, this way authors won’t be able to see them when logged into the backend
- Remove the other pages from the admin menu
All of which have been asked by others on this site.
One final note, themes are for visuals/presentation, not functionality. You should take the admin restriction code and move it into its own plugin. This way the admin is restricted even when the theme is deactivated