What you want is to setup Accessed-based Enumeration on your server. Below is from my personal cheat sheet...
Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access.
Permissions
The permissions can be a little tough to get working, but once you understand them it's not so bad.
The key is to start with a new folder, share it, and remove all permissions except for domain admins full control, even system. You do this by going to the security tab, selecting advanced, and unchecking [Allow inheritable permissions from the parent] when it asks what to do I usually copy the permissions and then manually remove the ones I don't want, If Domain Admins is not there add it{this is very important- if you dont leave yourself some access before you click ok, you wont have access to the folder.} then Click apply.
At this top level folder, turn on ABE and assign share permissions like this...
Administrators full
domain admins full
Authenticated users read and change
on the security tab of the folder properties click advanced.
The only permissions you should see is allow Domain Admins(Domainname) full Control not inherited {if it shows inherited then you didn't remove all the permissions in step one} Apply to- This folder, subfolders and files.
At this point I add domain users after you browse for the user or group that you want the permission Entry for [sharename] window pops up.
Make sure Apply onto: is changed to This Folder Only. This is the key to make ABE work. The only permissions that should be selected are:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Permissions
These are the permissions needed to traverse any folder under ABE. If you want everyone to see the folders under this folder you assign it to domain users, if it is only a speciffic user you assign them to that user.
For example:
toplevel share- {This is where we have done all the work so far}
second level folder1{domain users get the above permissions here}
Third level 1a{Domain uses get full Control}
Third level 1b{Domain uses get full Control}
Second level folder2{ Bob gets the above permissions here}
Third level 2a {Bob gets full control here}
Second Level folder3 {Joe gets the above permissions here}
Third Level 3a {Joe Gets full control here}
In this scenario, both Bob and Joe can see Second level1 and the folders underneath, but only Bob can see second level 2 and under, and only Joe can see Second level 3 and under.
If you structure your folders correctly and use group permissions you can add folders in such a way that you keep your administration to a minimum. But this can get to be a real nightmare if you go to deep and have to give individuals, or groups, access all the way down the tree.
In our example above the second level1 would be seen by everyone, and then you add speciffic user or group permission the the third level 1a or b and so on. If you don't have access you can't see it.
Long explanation for something that should be simple,
They should take some lessons from Novell on ABE. Novell handles all the permissions up the tree automatically, If you assign permissions anywhere down the tree the uplevel permissions are automatically assigned, this is where the problem lies with MS ABE if you keep your file system flat- you'll have no problems. Unfortunatly, you can't set up ABE on an existing file structure and maintain the user permissions, you would have to set up the ABE share and move the folders under the file structure you set up and reconnect them to the new share. If you do a move on the same partition the permissions will be retained, if you copy or move to a different partition/server the permissions will be inherited from the uperlevel folder, and then you would have to rebuild all the permissions blind, unless you screen cap all the permissions before you move them.