Here is an overview.
How to set, view, change, or remove special permissions for files
...Folder permissions include Full Control, Modify, Read & Execute,
List Folder Contents, Read, and Write. Each of these permissions
consists of a logical ...
http://support.microsoft.com/kb/308419
Also, you need to remove the Everyone group, otherwise that may
interfere or allow others to read stuff that are not supposed to get
into the folder structure. To do that, you need to uncheck inheritance,
then manually add the groups you want to allow. Don't forget to keep
System and Domain Admins in there as FC.
For Group C, assuming you have unchecked inheritance, you can go into
each subfolder and add GroupC. If you have inheritance still enabled,
then at the parent folder add GroupC providing Read only, then each
subfolder they need additional permissions, go into them and check off
what they need in addition to what is been inherited.
As for the Share permissions, you must allow the greatest amount of
permissions in the subfolder structure, or they will not get it.
Usually we just add Domain Admins FC, and Authenticated Users, Change.
Then whatever is set in the folder structure using NTFS will dicate
their effective permissions. This is because the system will look at
the Share permissions and combine any groups you have added. If a user is
part of more than one group, they will get all of them. This is called
the Least Restrictive. Then it looks at the NTFS permissions, aame
thing goes providing the Least Restrictive.. Then it combines each
evaluated Least rstrictive permissions and provides the MOST
restrictive.
For example, if Joe is part of Sales and Accounting, and Sales has
Share permissions Change, and Share permissions Read, then his Least
Restrictive is Change. In the NTFS permissions Sales and Accounting
both are set to Read only. So the NTFS Least Restrictive is Read. Then
it combines the two, and it comes up with Joe having Read, which is the
Most Restrictive.
Here are more examples:
==================================================================
Share Permissions and NTFS Permissions Folder Access Control & Folder
Permissions
The easiest way to do it is with groups.
Keep in mind for the following, that Share permissions allows the
intial connection. Then the NTFS permissions are combined with the
Share permissions to provide the Most Restrictive. This means that if a
user has Full Control on the Share permissions, and Read on the NTFS
permissions, the Effective (resulting) permissions is the user will
only have Read. That's why we can set higher Share permissions at the
parent for the initial access, then control the resulting or Effective
permissions with NTFS. No passwords are needed other than the user
being successfully logged on to the domain. When a user is logged on
successfully to a domain, an access token is given the user account.
The access token is compared to the ACL (Access Control List) in the
Share and NTFS (security tab) permissions to determine access. That's
why no passwords are required, and is much easier than trying to deal
with multiple passwords. The system simply uses the AD user account for
access enumeration.
Let's say you have the following structure.
Office Data
Accounting Folder
Marketing Folder
Sales Folder
Operations
Your users are as follows. They require access to their respective
folders but to no others.
Joe and Sally are accountants.
Bob and Sue are Marketing reps.
Tom and Jerry are in sales.
Wyle E and the Road Runner are in operations.
You create the following groups and add the appropriate users into
those groups.