Quote from the plone mailing list:
I would like to add that this behaviour is standard Zope behaviour due to the way zope permissions work. zope permissions are 'addative' - by this I mean that you can always add permissions down the tree but you can never remove them and have the removal acquired. Its sort of hard to explain but if a sub item grants new permissions, then those new permissions will take precedent. In your case the visible sub items grant new permissions to objects from that point down. It may not be what you are expecting but its perfectly correct behaviour for zope & plone. (Tom Cameron, 2005-03-07)
Now, if we assume a folder structure like:
root - public folder - private folder - document 1 - subfolder - document 2
by default the documents document1, document2 and the folder subfolder are visible and can be accessed by anonymous users even if the folder private folder has the state private.
To change this behaviour and deny access to objects of state visible that are located beneath a private folder the following changes to the default_workflow are necessary:
- In the zmi go to the root of your plone site
- Select portal_workflow > plone_workflow
- In the states tab select the visible state and then the permissions tab
- Deactivate the access portal content and view permissions for the role anonymous
- Repeat for the folder_workflow
For anonymous users this makes all visible objects inherit the permissions from the parent object. I. e. if a parent folder is private, all objects beneath are not accessible by anonymous users.