How can we stop users from browsing folders and files?

[SenTnel]

Hello!

Running Win 2003 Server Enterprise, and Citrix MetaFrame XP FR3 on a dell PowerEdge 2600 server.

I need to protect the files on the server and allow access to users only to certain folders (two folders exactly), I tried hiding the drives (via GPO), but then they can't view the files they need, besides the fact that on the "open file" dialog box you can type the path and still get to a system folder (let's say: C:\WINDOWS\system32\ ...)

Also try changing the permissions to the rest of the folders, selecting "deny" to "list folders" etc... but when I restricted this way then the software published does not start.

How can I effectively stop users from wandering around the drives, browsing and possibly altering or deleting files and still have fully functional published application?

Thanks a lot for your inputs!

 

[scanjam]

This may not be best practice but it works for us so far....

General Drive Folder
Company A Folder
Company B Folder

The NTFS permissions are structured from the root (ie D:\) to inherit the following and ONLY the following

DomainName\Administrators > Full Control
CREATOR OWNER > Full Control - Subfolders Files Only
SYSTEM > Full Control

Individual Companies Setup
Company A is inheriting the 3 above plus
domainname\company A security group (all users in company a)
> Modify Permissions to subfiles and folders only

Essentially this makes it that the user cannot browse to the folder structurebove that which they are assigned permissions

so they can only get to d:\company drive folder\company a
not d:\company drive folder

THe only exception here was the users PROFILES directory which they required FULL CONTROL of, but this is normally enabled through AD when the user name is created.

This doesnt really help you for applications, but set modify for everyone for the program files store (yeah thats a little relaxed, but we are all lazy here...hehe)

Hope this helps in some way or other?