Secure Files and Folders with NTFS Permissions
As mentioned, the share permissions are meaningless when someone is accessing files and folders locally. You can still secure files locally, however, if you use NTFS permissions. Before you do so, you need to take two preliminary steps:Chapter 4, "Disk and File System Management," for details).
Once you take these steps, you'll see the Security tab when examining the Properties of a file or folder stored on and NTFS partition. As shown in Figure 11-7, the Security tab contains an ACL where you set NTFS permissions. Like share permissions, you can have very granular control over permissions for individual users and groups. The NTFS permissions are more powerful and flexible than share level permissions, though.
Figure 11-7. NTFS permissions are set with the Security tab.

- NTFS permissions are effective locally. Share permissions apply only when network connections are made to a resource.
- NTFS permissions are effective for both folders and individual files. Share permissions can be granted at the folder level only. The share permissions then apply to all files and subfolders within the share.
- File permissions override folder permissions.
- As with share permissions, each of the NTFS permissions has an Allow setting and a Deny setting.
- Like share permissions, NTFS permissions are cumulative. A user who's granted the NTFS Read permission via the Everyone group and the NTFS Full Control permission through his or her membership in the Administrators group would have the Full Control effective permission.
And finally this, which merits a separate paragraph: when NTFS and share permissions are combined, the effective permission is the most restrictive permission. For example, if a user is granted the share-level permission Full Control and the NTFS permission Read, the effective permission is… Read. (It's confusing, I know, but you've got it in writing, so you can re-read this chunk if necessary.)