With SFS, you can only control whether or not users accessing a share can change the files within it. With classic sharing, though, you have much more granular control.
Access to a shared folder is controlled through an Access Control List (ACL). This ACL controls who can do what to the share in question. There are three levels of share permissions, as described in Table 11-1.
For each of these three permissions, you set one of two conditions, called Allow and Deny. Allow grants the specific permission to a shared resource, and it is the default selection for a permission setting. Deny explicitly blocks the permission and supersedes Allow settings. The Deny condition adds another layer of complexity to shared resources and therefore should be used sparingly. For example, it is possible to Deny Read access for resources while allowing Change access. The result would be a folder in which a user could delete a file that he or she could not read. I can't even think of an example where you would want this.
If you don't want someone to change a file, just don't grant that person the Change permission in the first place. Under most circumstances, there's very little reason to use the Deny setting.
You access the share's ACL by clicking the Permissions button on the Sharing tab. You will see the dialog box shown in Figure 11-6.
Figure 11-6. The share-level Access Control List.
Notice that the Everyone group is automatically added to the Access Control List when the folder is shared. Furthermore, this group, which includes, well, everyone, has the Read permission to the shared folder.
To add entries to the ACL, click the Add button and then type the name of the user or group you want to add. In the example in Figure 11-6, I've added another user to the list (The Dude) and given this user Full Control to the folder.