I have set up a shared folder on our file server called marketing. This folder has a sub-folder called Literature where we will be keeping PDF versions of all our literature for everyone to view,. Within the Literature folder is a folder called Originals, which will store the original file, that only our Marketing person will have access to.
I set up sharing on the Marketing folder with the permissions for Everyone to have Full Control. I then went to the security tab. I was going to leave "Allow inheritable permissions...." enabled. I am pretty certain that I can just set the NTFS permissions on the "Originals" folder to only allow our Marketing person access to the folder, correct?
Also, on the security tab, I noticed that Users, by default, has Read & Execute, List Folder Contents, Read, and Special Permissions enabled by default and that these settings cannot be changed. When I click on the advanced button and go into the Users Special Permissions, I see that they are allowed to Create Files / Write Data and Create Folders / Append Data. However, I only want my users to have read only rights and that is all when they are in the Marketing folder.
My first questions is why wouldn't the Users just have "Write" and "Modify" by enabled by default within the Security tab instead of having these special permissions? The perform the same functionality, correct?
After doing a bit of digging, it appears that I would want to remove "Create Folders / Append Data" and "Create Files / Write Data" for Users from the advanced security settings, for that particular drive that the Marketing folder resides on. I would also want to put a check mark to "replace permission entries on all child objects..." I would do this because I do not want anyone to create folders or save files at the top level.
Then for the Marketing folder, I would give Modify, Read & Execute, List Folder Contents, Read,and Write permissions to the Marketing Group since I want them to be able to create subfolders and save files within the Marketing folder (or do I have to give them special permissions to do this?). Users would then receive Read & Execute, List Folder Contents, and Read permissions because I only want them to have read access within the Marketing folder.
Finally, on the Originals folder (in Marketing / Literature), I don't want any users BUT those in the Marketing Group to have access. Therefore, I disable "Allow inheritable permissions..." and remove Users from the permissions.
Does this sound like the proper way to achieve this?