As per the original thread "Denying access on a folder in all products"
Did you find a way to do this?
I think Mike's solution is the right one. This where ACLs do not scale and fall down. I had tried this approach of a subdomain but abandoned it cause it led to too many complexities. My recommendation is rethink why you need to restrict folder access in every area. Even in Active Directory managed Windows folders, this type of approach blows up.
Might work to create a Role, add the permission Delete WTDocument to that Role, then assign user(s) to that Role at Org level.
This will not tie it to a folder, but maybe that's ok?