Because of the way a web page utilizes the custom control the custom control ends up recognizing the web page's directory - which is why the security model you're using doesn't work.
However, not allowing a user to view or edit a control seems more like a business rule instead. Validation should be made within the code to determine whether or not a user can view or edit a control.
Hope this helps...