>>You can use a COM Automation Server for all the data access. It will use a different username/password to access the data directory. The users will never actually have access to the data.
>
>This sounds interesting...I'm not quite sure how it would work, though.


The users have access to the COM object. It then uses a different ID to log onto the server to access the data. This way, the users never have direct access to the data...everything goes through the COM server.


>In between all domain users and our root data directory, we have a domain usergroup of allowed users, as well as an "information" table to what processes the allowed users are permitted into. Some users are read-only, some even have ability to do EXCL opens for certain processes. Data is divided into subdirs, and subdir permissions are set in domain sub-groups.
>
>Do you think it would be easy to implement a COM Server to handle this situation? I like the concept, but it sounds kind of messy...

MTS Roles handle this automatically for you.