I am archiving files into self-extracting .exe files. I want the user to have to copy the .exe to their machine in order to execute (extract) the files. So I want to deny only execute permission. They should still be able to write new files, and traverse folders. Possible?
This is not a duplicate post as Mark labeled it as. The valid, and different, question is setting execute to deny but still allowing traverse folder permission. In Server 08, the permission is labeled as "Traverse folder/Execute file". This is found in the properties > security > advanced >permissions section.
To allow "traverse folder": edit the permissions for the user/group you want and check "allow" for "traverse folder/execute file" and whatever else you want. Click ok to set the permissions. *Note: make sure you have the "Apply to:" drop down set to "this folder, subfolders, and files" (or "this folder and subfolder").
This is where things change... To deny executing a file: (still in the advanced permissions tab), add the same user/group you just edited the permissions for, but this time in the "apply to:" drop down select "files only" option and check "deny" in the "traverse folder/execute file" box. Click ok.
You should now be able to traverse folder and not execute file.
The deny will not overide the allow traversal since it is applied to the files in the folder and not the folder/subfolder themselves. You will now have two permission entries under your permissions. One for the allowing traversal and everything else. the second, just for denying execution of files.
To allow users to traverse folders & subfolders, but not execute files, go to the Advanced permissions dialogue for the top level folder in question and set the Traverse folder / execute file permission and Apply to: This folder and subfolders. Doing it this way means you do not need an explicit deny execute because you have only granted the allow permissions on folders & subfolders, not files.
If I recall correctly, you'll find what you are looking for under the security settings of the folder. Just right click the specific folder, select properties, then the security tab. You can set just read and write capabilities without giving execute rights.
besides Mike's advice, you have firstly choose the kind of user to whom apply rights. So, if you want apply these restrictions to a normal user, you have to find group "Users" or which you prefer or you have to create a group and add all the users you want and apply rights to this new group.