We actually treat our meta data as less necessary to secure than our file
content. All of our internal users can see all object metadata (name,
number, description), but the ability to download content is more tightly
managed and audited. External users (ProjectLink users not in our
company), cannot see anything, not even meta data, for any objects outside
of only the projects they are a member of.
This way, people see what is there and where it is, but they have to get
download access to view the content if, in fact, they want to view the
content of something they cannot download. Obviously this approach won't
work in a defense or "secret" type of organization where you cannot even
let a person know something exists if they don't have a need to know, but
we are not in that kind of environment.
It is a nice feature that "download" is controlled separately from "read."
Al Anderson