Security and ACL Issues
Every object in Information Store has an access control list (ACL). This list contains access control entries (ACE) for the object itself and for specific properties. All sending and retrieving of the ACL over WebDAV is done with the HTTP commands PROPPATCH and PROPFIND. These methods are used to manipulate the property in its native format because WebDAV does not process the ACL property.
If you are using ACLs, you should be aware of the following guidelines:
Warning Denying access to a document in IIS only protects it from being accessed through a Web browser. To protect a document, use the ACLs in System Manager.