Denying access on a folder in all products

I think Mike's solution is the right one. This where ACLs do not scale and fall down. I had tried this approach of a subdomain but abandoned it cause it led to too many complexities.  My recommendation is rethink why you need to restrict folder access in every area. Even in Active Directory managed Windows folders, this type of approach blows up.