one of my win2k instructors made a HUGE effort in describing the 'recommended' method of shares/permissions, which was:
for sake of convenience All SHARES should have "authenticated users" will full permissions, and then use NTFS permissions on the files/folder to secure. The ntfs perms will supersceed the shares, since most restrictive perms will apply. Then you only need to maintain one set of perms and will not have 'conficts' with your logic.
Use that as a basic rule (don't foget to set perms on the shared folder, not just the contents of the folder)
