I have, very intentionally, given users traverse rights to a shared folder on a server but write access to a subfolder. Here is the structure:
Local path on server: D:\Apps\MyAppFolder
Inside MyAppFolder is a file MyAccessApp.accde file (compiled Access front end application) and .accdb file (Access backend/table file)
Users have traverse-only to D:\Apps but read/write within D:\Apps\MyAppFolder
D:\Apps is shared as \MyServer\Apps$ and mapped via login script as S: drive.
So the path to the Access application is S:\MyApp\MyAccessApp.accde
The $ in the share name hides it so nobody can browse there without explicitly knowing about it.
The traverse-only to the root of Apps$ effectively makes the S: driver non-browsable. Unlike SQL server, where the database engine entirely masks the SQL database file structure so that the user has no rights to the actual SQL file folders, Access requires that the user have read/write access to the location of the Access front- and back-end files. By not allowing read, only traverse, of D:\Apps (the root of the S: drive), it keeps curious users from exploring their way to the file and accidentally moving or deleting either the front- or back-end files. Instead, I supply a shortcut directly to S:\MyAppFolder\MyAccessApp.accde. (The users have Access runtime installed so they can run the app).
Disclaimer: I know this is not absolute protection, so anyone goes off on a tangent about how someone could look at the properties of the shortcut and get there anyway, don't bother; absolute protection is not my goal nor the problem here. The fact is that these particular users might be prone to clicking on the S: drive in Windows Explorer and poking around but will probably never think to look at a shortcut, copy the target, and paste it into Explorer or Run. This is just a little "out of sight, out of mind" protection, which in my experience over the last 25 years in this business, is a greatly overlooked and underutilized approach to the avoidance of accidental and nuisance problems.
This has worked perfectly for years without any hitch on Windows 7. But as soon as we went to Windows 10, the first time (after each computer login) that a non-admin user double-clicks the shortcut, the user gets an error indicating, "The item 'MyAccessApp.accde' that this shortcut refers to has been changed or moved...Do you want to delete this shortcut.". If the user answers, "No", the user can just double-click the shorcut again, and the app opens fine. This persists until next computer logoff/logon.
Alternatively, if the user logs onto the computer, then right-clicks the shortcut, then Open File Location, the location opens in Windows Explorer. The user can then close the Windows Explorer and open the program without any denial. I have verified that things still work correctly on Windows 7 immediately upon computer logon, but that on at least two Windows 10 computers and two different domain users, it fails until it fails once or they go to the path once.
So it seems that the user has to access the read/write downline folder once before the user can actually open a shortcut to a file there. What is it about Windows 10 that requires the user to invoke a manual traverse before the shortcut-based traverse will work?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 45%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
