We are running XP Prof clients on a Server 2000 network, together with Office 2007 applications installed on client machines. This is a school and I need to create a secure area in which a group of students will each create a Word Document in their own folder. They will edit these in a supervised lesson. At the end of the session all access to the documents must be prevented, until the next supervised session. This is required by the Examination authorities, so that editing outside the supervised time is not possible. Now I can use inherited NTFS permissions to deny access right down to the individual folder level, but having done this, by explicitly setting 'deny all access', the students cannot browse via Windows Explorer to reach their documents. However, if the student returns to the same machine and opens (eg) Word, the list of recent documents shows the earlier file and allows full access, regardless of the containing folder permissions. All the students are in a group named 'Pupils'. The final folder permissions show that the 'Pupils' group are denied access, but the individual student still has full control! Help!! Thanks to anyone helping me out on this one. I'm a teacher, not a network professional, so a simple answer would be appreciated!!

Word 2007 is probably opening up the Temporary file. Have the user actually try and SAVE the file, and see if they get access denied then. From http://support.microsoft.com/kb/211632 The location where Word creates the temporary files is hardcoded information and cannot be edited. Therefore, it is important that NTFS permissions for the user are set accordingly. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 277867 (http://support.microsoft.com/kb/277867/ ) Windows NTFS permissions are required when you run Word on any NTFS partition that has Windows 2000, Windows XP Professional, Windows Server 2003, or Windows Vista installed When you open a file on a UNC share with Word 2007, the file is first copied to the temp directory. Then, the file is opened from the temp directory. More Info: The Temp directory will be per user and set to %TEMP% (an environment variable that should be roughly TEMP=C:\Documents and Settings\USER1\Local Settings\Temp)

Hi, thanks for the reply. I've tried it, but the document can be opened, edited and the changes saved by 'Student X'. 'Student X' is a member of the Organizational Group, 'Pupils', which is denied access, but this is not taking priority over his own permissions, 'Student X' still has Full Control, despite this membership. I'm wondering if this should be a Security Group, not an OG. Off to try it! Thanks.

Yes, you need to create a security group. You shouldn't be able to apply security to anything other than a Security Group.