With TFS 2008, say I have the following path:
You have a new user in that team project who is not a member of any groups and will need to be added directly to Source Control security. You want to add that user to the "Source" folder for check-in and check-out permissions including the folders below, but deny them everything above.
You proceed to add them directly to "Source" folder with "Check- Out" and "Check In" permission and deny "Read" permission on the folders above. You then leave inheritance on for all the folder below(in this example "Images").
But when you test, you will notice it fails. The user can’t check out anything unless they have read permission on the Team Project folder. Without "Read" permission, they receive the error message “The item $/Team Project does not exist on the server.”
The way I got this to work was to allow "Read" access to the “Team Project”. Next, on the "Project" folder, I had to uncheck "Inherit security settings" and add that account with Deny for "Read". I also had to re-add all of the default groups since they were no longer inherited from the Team Project.
As you move down a folder, I will leave "Inherit security settings" on since I was inheriting the deny read permission until I got to the folder that I wanted to grant them access. In this example, on folder "Source", I will uncheck "Inherit security settings" on that folder and manually add that user with the "Check In", "Check out", "Read", etc, permissions that I wanted. I also proceed to add default groups as well.
The user will now have the permissions required for that folder and below only.