NTFS Permissions - deny delete does not work
Solution 1:
You have to take into account that deleting/renaming a file is actually a write operation on the parent folder which is a special "file" that contains the list of children (files or subfolders). As such to prevent deleting a file, you need to remove the write permission on the parent folder.
see kb 308419 for an explanation:
The Delete permission allows or denies the user from deleting the file or folder. If you do not have a Delete permission on a file or folder, you can delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder.
Solution 2:
To properly deny access to delete from the parent folder only and allow deleting from the subfolders you have to set two sets of permissions for the user/group.
Allow read write modify. This is important: keep "delete subfolder and files" checked off but uncheck "DELETE". I have found that if a user has permission for "delete", any deny permissions will not work! This should be applied to this folder, subfolders, and files.
DENY the user delete and "delete subfolders and files" and apply to this folder only.
I spent a lot time figuring this out and it works!