I'm thinking that one approach to protecting files is to make them write-protected most of the time.
- One idea would be to use a User Profile that has no write privileges - but then there's really no need for a User to be logged into the computer anyway. But maybe it could be done (i.e. logged in) as a default.
- Another idea would be to switch the permissions on the drive (but propagating that might take too long).
The idea is to switch the capability, write some files and switch back. Thus, minimizing the write window in time.
Probably a scheduled task. Perhaps a Powershell script.
I'm looking for ideas.