The only solutions I've found are inadequate. What I've found:
* At the root folder, find those permissions which are enabled for the anonymous role, and remove them in /private by de-selecting the "inherit permissions" checkbox and re-enable appropriate roles.
* In /private, de-select _all_ "inherit permissions" checkboxes and re-enable appropriate roles.
Thats when we had to do before local roles were added.
Is it possible to rearrange your folders so that you use local roles in a /public/ section?
My current problem revolves around the anonymous user. If I could make 'anonymous' a local role, that would potentially help, although with most web-sites the root of the site should be readable by anonymous, so it's not clear that it's an effective workaround. However, it still doesn't affect what I perceive to be the basic problem: a security system should offer one the ability to deny access, and the only mechanism I can find for doing so in Zope is to duplicate the security information from the parent folder and tweak it. That makes central administration harder and is error-prone. -John