You should apply the most restrictive permissions possible to all users (with the natural exception of the administrator accounts, and even those can be limited on a more granular level in Windows 2000). However, you shouldn't be overzealous, either. In this context, "most restrictive" means applying a level of security that allows a user to perform his or her job, but no more. For example, perhaps you have a share on your network for all of your corporate expense form templates. A typical user in your organisation simply needs to be able to read the form--not overwrite it with his or her completed version. In this situation, standard users should be granted only Read permissions, while the person or group responsible for maintaining the forms folder will be granted permissions for changing and overwriting. Share permissions
When you create a new share on a Windows 2000 server, the Everyone account is assigned Full Control rights, which means exactly what it says--anyone can add, delete, or modify anything on that share. In Windows Server 2003, when you create a new share, it's assigned only the Read permission by default. Share permissions offer these three options: Read: Users accessing the share have only the ability to read the contents of the files and folders in this share, regardless of their NTFS permissions. Change: Users have Read permissions and can modify the contents of files and folders as long as their NTFS permissions allow this activity. Full Control: Users have the same capabilities as the Change permission but can also modify the share permissions for this share. Obviously, this should be reserved for admins. Clicking on the Permissions button in the Sharing tab for a shared folder results in a list of the users with share permissions assignments and provides you with a place to make changes. Figure A shows a sample screen from the share permissions of a folder on a Windows Server 2003 system. Figure A
