>>>- let's authenticated users access a particular file (not browse the foler)
>>Maybe I am missing something, but if you create a "default.htm" in that folder that should prevent users from browsing it.
>>
>>>- locks unauthenticated users out
>>Another approach to this problem could be to provide a web page within you application that would list (with A HREF=...) all files that users have access to.
>
>Hector, I don't think that will solve the problem of users having read access to the folder because the HREFs will still contain a URL that points directly to the file. Wherever it is located in IIS, it will be visible to the world.

Well, I was thinking that that folder will have authentication enabled and that people will only get to it after authenticating on Evan's application. But I am not even sure I am getting the question here so I would better bail out :)