Evaluating Archive Managers - can Nexus do this

Hi, The company I work for are currently performing maven builds using a file-based repository on a shared drive. We would like the libraries to be under some form of configuration management, and are evaluating Nexus, Affinity, and Archiva - selected simply because they are mentioned on the Maven site. The requirements that we have are:

Not Automatically Fetching Libraries
We would like to be able to set up a repository that does not automatically download a new library just because a developer specifies it in a .pom file. We would like an administrator to have to add the file to the repository deliberately. The initial archive would ideally be populated first from our file-based repository, alternatively a build could force an initial fetch then the archive configured not to fetch automatically.

The reason that we want this is so that if a third party changes a library without changing the version number we won't pick up the new version unknowingly. Also we want to ensure that only known libraries and versions are in a build.

Auditing of changes to repository
With information about who does what when. Ideally it would be nice to enable the administrator to add a comment, so they could say why and for which project.

"Normal" archiving of plug-ins
The archive should ideally act as a cache for plug-ins, downloading from the internet when required.

Security model for Administrators
Basically only administrators should be able to add or remove libraries or versions from the repository.

I am looking at Nexus to see how it can achieve the above, I assume that we need to use a hosted repository. Any pointers on what can/can't be done and how it can be achieved would be welcome.

Thanks,
Chris