Hello @uxpascal,
very nice use-case
and good clear instructions 
1. Create an access-policy for your students:
Click on the red links in order.
Then (blue box) you can either create your own from scratch, or import my “Content-Editor”-Policy, which pretty much covers your use-case. If you are new to this, I recommend you download my Policy-XML-File and import it. After the import you can right-click on it and edit it: rename it correspondingly (e.g. “Students Policy”) and grant or reject permissions.
2. Create your “Students” role:
Inside the same page, go to the second tab and create your Student-Role. Give it an authority over 1 - I recommend 100 or 1000 to have room for in-between-roles.
3. Create your media-source(s):
I recommend leaving this ACLs browser-tab open and open the media-source-management in a new separate tab:
We need a separate media-source, as we don’t want the students to edit/delete the root/www-files, and we want them to have a separate folder, where they can’t destroy anything important.
Create your media-source:
Follow the red boxes - click create new, add a name and save it.
Leave the source-type (blue) as is, e.g. “filesystem”. This could maybe be interesting, if you want to connect to either a Dropbox or a Amazon S3-Bucket for the images - just FYI.
Right-Click on your newly created media-source and edit it:
In my example here I have the directory “media” - but you can of course use something like “uploads”, “images” or “students”. Set your settings (red) accordingly (but use the slashes like in my example).
Now save this, but leave the tab open.
[You can add multiple media-sources, like you see fit - like one for the images, and maybe another for their homework, where they would only be allowed to upload PDF/DOC files, for example]
4. Create the students user-group:
Switch back to the ACLs/Security browser-tab and create your students-group:
Switch to the first tab, click “create user-group”, fill in the necessary boxes (reds inside the modal), and save it.
Now comes a little complicated part 
Edit your newly created user-group (right-click and edit, or click on it and press the big edit button) and switch (if you didn’t land there) to the permissions tab:
Add the needed contexts (red):
- Add the before created user-role for editing to the
mgr
-context with the created/imported access-policy (this on the one side gives access to the manager, and at the same time restricts it to the access-policy) (blue)
- I think you also have to add them to the
web
-context with the same role/policy (yellow)
Switch to the settings-tab:
Here you can overwrite default system-settings for this particular user-group.
We want to make sure their default media-source is the restricted one, so click “create new” and add this:
- default_media_source
- setting_default_media_source
- setting_default_media_source_desc
On the top right in the dropdown select “source / media-source”.
Give it the namespace core
and the lexicon-scope manager
.
At the bottom of the modal, click the dropdown and select your students-media-group.
You can add any system-setting here to overwrite it for this group.
You probably only need the media-source-setting, but like you see in my screenshot, you could also give this user-group a different default-template, a different default context (if you have multiple), allow or deny them the right to create a new_document_in_root
, and so on.
Bonus - Change the default dashboard (manager-startpage) of this group:
If you want your students to have a custom dashboard when they login, you can change it here.
I will not go into the details, but in the dashboard-management-menu (under the cogs-icon), you can add a new dashboard, and then select the “widgets” they see. You could also create your own widgets, for like a simple introduction/instruction-text-block or also install QuickStartButtons to give them quick-access to commonly used functions (like maybe creating a new article under a particular parent, or opening the media-browser directly).
Now save your user-group.
5. Link the user-group to the media-source:
Back on the media-source browser-tab, reload the page, and switch to the tab “Permissions”:
Add your students-group and your admin-group to the media-source - both as “Media Source Admins” (don’t worry, as they won’t have the rights to change it… I think I did this, because there were some weird restrictions, if they are not “Media Source Admins”).
6. Create your student-users:
Now that we finished the setup, add your first user:
On the newly loaded page in the first tab, add the necessary data (red):
- Add the username
- Optionally add the full name
- Add the email
- Set the user as active
You might want MODX to send out the password to the newly created user (blue), but for this your setup might need to be adapted some more.
Now switch to the permissions-tab and add the user to its group and give it its role:
Of course you should add a test-user at first for testing everything beforehand -
but if I didn’t forget anything, you are done 
If you have just a couple of students, do it manually.
If you have hundreds, then you might want to check out the User Import extra.
I hope this tutorial was clear and you understood everything - if not, just ask 