The short answer is that you’re correct… You don’t want the web server (or web user) accounts to have full write access to your WordPress installation. Your user account, however, will need write permissions for the entire application because many of the WordPress features (such as automatic updates among others) require access to the core files.
The Codex article Hardening WordPress has a section that specifically addresses your concerns called File Permissions.
You can also checkout Changing File Permissions, but I think you’ll find the first article most helpful.
Here’s a short excerpt from the Codex article…
Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment.
It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.
Here is one possible permission scheme.
All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver.
… much more goodness in those articles.
Have fun!