Setting up a limited user account on Windows Server

view full story

http://serverfault.com – I'd like to create a user account on a Windows Server which can read whatever bits of C:\ it needs to be able to execute programs, but have no read access to D:\ except for D:\Special. It seems that the only sane way of achieving the former is to make this user part of the Users group. Unfortunately that also gives the user read access to all of D:\. If I add a Deny rule for D:\, however, this rule also applies to D:\Special, and it seems to be impossible to override by design. Is there any way to do what I want, namely the "usual" Users access to C:\, but on D:\ no access except for read ac (HowTos)