I am looking at an distributed application which uses a share drive as a cache for many large files. I would like to not allow open access to the share for the users of the PC, but still grant access to the application. I have searched TechNet and Goolge for possible solutions, but have come up very empty. Any sugestions or pathways I should look at?

generally this is not possible. You may consider to use remote desktop services for this. However if application's UI allows filesystem lookup (for example via open/save file dialog box) RDS will not help too. This is because access can be granted/denied only for security principals. Application is not a principal, but a something that runs within security principal's space and all allowance/restrictions to the user are propagated to user's applications.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Vadimis, thanks for the feedback. I was thinking some sort of "run as" type of configuration? Where the application runs as a different user, thus can read the share. Or possibly make the application be or use a service with higher level of privedges? As this is a 3rd party installed app, I am limited to non-code change based options. Any other ideas?Regards, Bruce

runas is not an option. Because to run certain aplication under different user permissions, a user must know another user account name and password. Even if you use a tool, like admilink technically it is possible to extract a password from another user account. if you can to run application as a service (probably LocalService accoun would be enough) then this can be considered as a solution.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com