How can I set the NTFS permissions on a folder for a WORM like behaviour

You can set permissions to allow this, but you're probably going to find that you're not happy with the result. (I have yet to ever configure this for a Customer who has requested it and not had to go change it a few days later.)

In particular, some programs (Microsoft Word is a good example) assume that they can write files under one name, then rename them after writing. Other programs create the file, close the file, then re-open it for writing again. When such a program tries to write to a directory with permissions like you describe you'll find that things break.

If you're just going to copy files into such a directory, you might have better luck.

Let's assume that you want "Authenticated Users" to be able to do this. You'll need to use the "Advanced" ACL editor to add the last permission:

SYSTEM - Full Control - Apply onto: This folder, subfolders, and files
Administrators - Full Control - Apply onto: This folder, subfolders, and files
Authenticated Users - Read - Apply onto: This folder, subfolders, and files
Authenticated Users - Create Files / Write Data - Apply onto: This folder and subfolders

This will allow "Authenticated Users" to create new files, but they won't be able to modify files they just created. (Obviously, members of SYSTEM and Administrators will be able to manipulate these files.)


Evan's answer was very helpful. Here, I've written a powershell script to reduce it to practice.

$worm="C:\WORM"
mkdir -Force $worm
cd $worm

<#  https://serverfault.com/a/17869

SYSTEM - Full Control - Apply onto: This folder, subfolders, and files
Administrators - Full Control - Apply onto: This folder, subfolders, and files
Authenticated Users - Read - Apply onto: This folder, subfolders, and files
Authenticated Users - Create Files / Write Data - Apply onto: This folder and subfolders

#>

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'CreateDirectories, CreateFiles, ListDirectory, Read', `
        'ContainerInherit, ObjectInherit', `
        'None', `
        'Allow'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'DeleteSubdirectoriesAndFiles,Delete', `
        'ContainerInherit, ObjectInherit', `
        'None', `
        'Deny'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm

$acl  = Get-Acl $worm
$ace1 = New-Object Security.AccessControl.FileSystemAccessRule 'Users', `
        'WriteData', `
        'ObjectInherit', `
        'InheritOnly', `
        'Deny'
$acl.AddAccessRule($ace1)
Set-Acl -AclObject $acl -Path $worm