>>- let's authenticated users access a particular file (not browse the foler)
>Maybe I am missing something, but if you create a "default.htm" in that folder that should prevent users from browsing it.
>
>>- locks unauthenticated users out
>Another approach to this problem could be to provide a web page within you application that would list (with A HREF=...) all files that users have access to.

Hector, I don't think that will solve the problem of users having read access to the folder because the HREFs will still contain a URL that points directly to the file. Wherever it is located in IIS, it will be visible to the world.