In favor of a do-it-yourself-IT environment I like users to be able to fulfill their needs themselves (controlled of course). There is however a feature that’s available to users by default that’s not making me happy at all: modifying file permissions.
Especially in a DFS environment knowledge is required when adjusting ACL’s. Sure you can prevent users from adjusting permissions using permissions, but I rather hide the security tab from the fileproperties dialog aswel.
In short, anyone that can read the file %windir%\system32\Rshx32.dll can see the security tab, while it’s hidden for those who doesn’t have these permissions.
Apart from the usual groups system and administrators I recommend to create an additional group and give it read access to the dll and remove the rest of the groups from the accesslist. This way you can control the visibility of the security tab by a group membership.
TIP: Configure permissions on Rshx32.dll by GPO.