Traverse a folder without permission?

I have been working with windows permissions for over 10 years now and though I knew what I was doing until now.
I seem to now be able to connect to a share path where I have no access to the root of the share or intermediate folders but do at the lower level folders. I always though I needed the traverse folder permission to do this but apparently not. Let me explain

I have created a share \\server1\data
The share permission is full control and the NTFS permissions are full control for admins and system. Inheritance is blocked on the data folder

I then create sub folders \\server1\data\L1\L2\L3
the sub folders are inheritning permissions from the Data folder. I now grant "testuser" read/write(modify) access to the L2 folder.

From a PC "TestUser" can do the following
\\server1\data - Access Denied
\\Server1\data\L1 - Access Denied
\\Server1\data\L1\L2 - Access granted

Bearing in mind that I have not granted "Testuser" any traverse rights to the data or L1 folders, why can "TestUser" access L2 and L3? Is there a technet article explaining this anywhere?

I can't see how that is possible. What are the permissions for L1 and L2?
Does testuser have "List" at Data and L1? If they can't get into Data then
how can they even see the sub folders?

Check the Group Policy Setting (or the local policy setting using gpedit.msc
if not in a domain):

Computer Configuration
[Policies - this level is present only on Windows Server 2008)
Windows Settings
Local Policies
User Rights Assignment
Bypass traverse checking

Here's the "Explain" text:

This user right determines which users can traverse directory trees even
though the user may not have permissions on the traversed directory. This
privilege does not allow the user to list the contents of a directory, only
to traverse directories.

This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:
Administrators
Backup Operators
Users
Everyone
Local Service
Network Service

Default on domain controllers:
Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access

Indeed it is the local security policy setting "bypass traverse checking" on the servers which is applying this to the folders. I never knew this was set by default to the everyone group on the local policy.
That said I never new the local security policy also applies logon local rights to the users group on 2003 server until an audit.

Thanks Bruce. Thats one headache gone, now to figure out why some of my laptops hung whilst installing software....

Happy to shed light! The defaults that apply if the setting is not
"defined" are usually documented in the Help for each setting.

So I've got the same issue but am having problems determining how to fix it from the discussion on this website. In my environment I have several volumes that are shared (you go to \\server and you can see several shared folders). If you double-click on any of the folders you can see (ex:\\server\folder1), you are given "access denied". If you browse to \\server\folder1\staff\userid, you have full rights and are able to browse the directory.

PROBLEM 1:
Our "Bypass traverse checking" options are set to defaults. We are running Windows 2003 R2 servers with a 2003 functional level. We have NOT given users traverse rights to folder1, or staff, but want them to be able to browse to the folders they have rights to by simply double-clicking thru to them.

PROBLEM 2:
With Novell, our users were able to traverse the folders down to the folders they had full access to without having to set any specific permissions. ALSO (and this is what I'd like to do with Windows), when they browsed to \\server, they were only able to see folder1, and folder 2 IF they had rights to a folder inside of folder1 or folder2. And then they were only able to see the folders that led them to the folder they did have full access to (ie: usera was only able to see \\server\folder1\staff\userid, and NOT \\server\folder1\staff\otherusersids). Is this even possible in a windows environment?

Thanks for the quick response! I was actually (and just found out) that I was looking for "Access-based Enumeration". I just need to read up on how to set it up. Any Idea's?

List Folders will enable people to navigate through the tree.
Traverse is the right to pass-through to the destination, without the right
to read anything (including folder name)

Sure. List folders + Traverse is the poor man's version of ABE, or at least
the Windows version before R2. Let us know if you have any problems with it