How to Secure Shared Data on a Windows Computer
There's three sets of rules that govern file-level security on Window.

Rule 1. Share-level security is additive unless there's a "Deny". A user's permissions for a file share are the Most Permissive possible.

If the Everyone Group has the Read permission on a Share, and the Dialup Users Group has Full Control, and I'm a member of Dialup Users, I inherit Read and Full Control.

There are 3 share-level permissions. Share Permissions are only set at the Folder Level:

Obviously, Denies shouldn't be set unless you REALLY mean it.

Rule 2: NTFS-level security is additive unless there's a "Deny". A user's NTFS permissions for a file are the Most Permissive possible.

There are six File/Folder Permissions for NTFS:

Deny permission still exists, and should only be used to absolutely prevent a behavior.

Rule 3: The combination of NTFS and Share permission is Subtractive, always resulting in the most restrictive combination of permissions.

If I'm a member of Dialup Users, and as such I have Full Control Share permission, but Dialup Users have only Read, Read and Execute and Write NTFS permissions on a the folder that's being shared, the net effect is that I cannot Delete anything, as I do not have the NTFS modify right. I can still write to files that already exist.
I'm an IT trainer/computer contractor who lives in northwest Indiana.

I pay $5 a month to talk to people on Totalfark. For some reason I think this is worth the money.
I get a kick out of the consumer information blog I post there sometimes.