NTFS Permissions on a files server 2008 r2

Do  you mean like share that folder just to the users that I want to have permission to view it?

> ... I need to have one folder to be accessed by other users that are not in the department. I don't want to actually share the folder but just give permission to that folder  I do not want the users to be able to see anything except that one folder and what's in it.  

Do following for each folder you want to restrict.

1. Assume TargetFolderA.
2. Make sure folders in TargetFolderA don't have inheritance applied.
3. Make new group GroupA. Add users to GroupA.
2. Add GroupA to TargetFolderA's  Security (NTFS) permissions. Give desired access rights.

> ...this department also has files that are not in folders and I don't want the other users to be able to access them either
Sounds conflicting to what you say earlier. Not sure what you mean here. Are these files not part of TargetFolderA?

OK I'll explain better.  Here's a screenshot of what I mean.  I only want the users to be able to see and access read only the folder Employee Health Records without seeing anything else like those xls files and doc files
example.png

> I only want the users to be able to see and access read only the folder Employee Health Records without seeing anything else like those xls files and doc files

You'd have to either apply NTFS rights to each file pattern via ICALCS...Yuk.
Or, move those files to a folder and apply NTFS rights on the folder... Better solution

OK I tried sharing it lets see if that works.  The problem I'm having is when I do that within the folder too much is exposed.  If I constantly have to move folder out and around then there's too many.  I guess it's catch 22.  Windows stinks when it comes to this there's never an easy way.

"... too much is exposed."
What does that mean?

>  If I constantly have to move folder out and around then there's too many

Just move those files to a sub-folder. Then restrict that folder. It's a one-time thing, I believe.

too much is exposed means people generally see what they are not supposed to.  I've been finding that out accidentally which is causing me to rethink all my permissions. I have a top level share in which all users have read only permissions they can not create any folders or save any files.  Then I have a bunch of files within that share for each department which I've taken out the inheritance.  Obviously in a perfect world it stays that way but unfortunately,  people need access to things within things so I then create a folder without inheritance and give those people permission however the catch is unless they have permission to the folder above they can't see what I've give them access to.  There in lies the problem...

Why not have a top-level folder with all the read-only stuff, and have separate top=level folders for each department?  The read-only share can be accessed by everyone, and the departmental folders can be accessed only by members of that department.

It amounts to the same number of shares, and you don't have to mess around with inheritance, etc.  It becomes much cleaner and easier to maintain.

That basically what I have.  But the good news is I shared the file I wanted seen and it worked. They can only see what I share without having an access to anything else in that folder

Thanks that worked great!

> I have a top level share in which all users have read only

Instead of "all users" it's better to add specific groups as needed.

> ...unless they have permission to the folder above

Actually, that's not true. If they have read permissions on the Share level, just give them NTFS permissions to the desired folder or file. e.g.
\\share\folder1
\\share\folder1\level1
\\share\folder1\level1\level2

Give group share level read access and NTFS access to \\share\folder1\level1\level2

They can't traverse each level above \\share\folder1\level1\level2 to reach level2. They just can read \\share\folder1\level1\level2