Question regarding Permission Inheritance - I have SP2007 with multiple sites, subsites, and document libraries that have been set to not inherit permissions from the parent. Each having been set with specific users and/or group access. The problem is that users who should not be able to access those items (any domain users for example) are still able to do so. I do not have anonymous access enabled on these items. Is the behavior below correct or did something change. When I run the "Check effective permissions" on one of the affected document libraries for "Domain\Domain users" the report generated indicates the following: Permissions for Domain\domain users (Domain\domain users) No permissions. The following factors also effect the level of access for Domain\domain users (Domain\domain users) Allow or Deny Operation Description Allow View Items View items in lists, documents in document libraries, and view Web discussion comments. Allow View Pages View pages in a Web site. Allow View Versions View past versions of a list item or document. Allow View Application Pages View forms, views, and application pages. Enumerate lists. Allow Open Allows users to open a Web site, list, or folder in order to access items inside that container. Anonymous access Anonymous access is not enabled on this scope

Waaayyyyy late, but just ran into this one myself. As this is the only post on this subject I'll post my finding/resolution... In my case it turned out to be anonymous access residual effects. Our portal at one time was set to allow anonymous access. Then, without turning it off at the individual sites, it was disabled in central admin. To note, central admin does not enable anonymous access, it allows the capability. Also, it can flat out deny anonymous users (if its turned on). So, the resolution was to turn anonymous access back on in central admin, go to each portal site that broke inheritance (and the root site as well) and disable anonymous access, then go back to central admin to disable it again. If you think this is silly, you can check for yourself. Use the admin toolkit to check effective permissions for a user you know should not have access. Even if their not in any groups with access privaleges, they still get the default anonymous access privs until you run through the steps listed, after which, you can confirm that the privs are gone. So, thanks to MS for keeping me employed =)