Hi

> What I'm considering is the possibility of not authenticating when the user
> logs into the workstation but instead have the authentication to the required
> directories scoped to the the EXE/application itself. So basically I would create
> a stub application that if accessible to the user, then that EXE would have
> the embedded authentication to provide the read/write ability to the required
> directory data files. Ideally the user would still not have the ability to
> do anything to these files through the XP explorer as only the EXE itself
> would have permissions.

This is possible, but there's a security problem: in order to use impersonation to reauthenticate as another user (which is necessary in this scenario) the starting user essentially requires admin privileges on the local machine.

If they have that then this impersonation code may help:

* Assume the identity of a user who can access the data:
* Based on a FoxTalk article, September 2003, by Alf Borrmann.

define class userinfo as relation

	hidden nUserHandle
	nUserHandle = 0

	procedure init
		this.DeclareAPIs()
	endproc

	procedure destroy
		try
			this.RevertToSelf()
			CloseHandle(this.nUserHandle)
		catch to oDear
		finally
			clear dlls "LogonUser", "ImpersonateLoggedOnUser", "WNetGetUser", "RevertToSelf", "CloseHandle"
		endtry
	endproc

	
	procedure DeclareAPIs

		#define LOGON32_PROVIDER_DEFAULT 0
		#define LOGON32_LOGON_NETWORK  3

		declare short LogonUser in Win32API;
			string cNewUserName,;
			string cDomainName,;
			string cPassWord,;
			integer nLogonType,;
			integer nLogonProvider,;
			integer @nUserHandle

		declare short ImpersonateLoggedOnUser;
			in Win32API;
			integer nUserHandle

		declare integer WNetGetUser in Win32API;
			string @cName,;
			string @cUser,;
			integer @nBuffersize

		declare short RevertToSelf in Win32API

		declare short CloseHandle in Win32API integer

		* Don't release GetLastError as other modules use it.
		declare integer GetLastError in kernel32

	endproc

	procedure GetLoggedOnUser as string

		local cName as string, nBuffersize as integer, cUser as string
		cName= chr(0)
		nBuffersize = 64
		cUser = replicate(cName, nBuffersize)

		if WNetGetUser(@cName, @cUser, @nBuffersize) = 0
			cUser = left(cUser, at(chr(0), cUser) - 1)
		else
			cUser = "ERROR"
		endif

		return cUser

	endproc

	procedure Impersonate(cDomainName as string, cUsername as string, cPassWord as string) as Boolean

		local nUserHandle as integer, nSuccess as integer, lSuccess as Boolean

		nUserHandle = 0

		nSuccess = LogonUser(cUsername, cDomainName, cPassWord, ;
			LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, @nUserHandle)

		if nSuccess = 0
			error "LogonUser call failed with a code of " + transform(GetLastError())
			this.RevertToSelf()
			return .f.
		endif

		* Store returned handle to class property
		this.nUserHandle = nUserHandle

		nSuccess = ImpersonateLoggedOnUser(nUserHandle)

		if nSuccess = 0
			error "ImpersonateLoggedOnUser call failed with a code of " + transform(GetLastError())
			this.RevertToSelf()
			return .f.
		endif

		* Store returned handle to class property for later release
		this.nUserHandle = nUserHandle

		lSuccess = (this.GetLoggedOnUser() == cUsername)

		return lSuccess

	endproc

	procedure RevertToSelf()
		local nSuccess
		* RevertToSelf returns zero for failure.
		nSuccess = RevertToSelf()
		return (nSuccess # 0)
	endproc


enddefine