I can copy and paste the URL from the configuration e.g. http://server name / web server name / configuration name and the person using the URL can only see the web shares which is what I expect.
The security problems comes when the user shortens the URL to http://server name / web server name / which is a fairly common way to get closer to the home page. Then they can log in with their credentials and see EVERYTHING in the vault.
Restricting access to the folders through the groups greys out the folders but you can still open them in the web browser and view and make copies all the files.
I have no interest in giving away the Caramilk Secret to everybody. How do you plug this hole?