I recently set up a lab with a DC and MOSS box and SQL box, not VPC's or VServers, but actual hardware. The plan is have an environment where I can recreate scenarios, problems etc. I ran across a problem where I wanted to search a file share on my network AND I didn't want anyone to know where the actual file was coming from. At first I set up a content sources to the D$ default hidden admin share and the crawler failed with an access denied message. I then created a share on the the folder but made it hidden from the network browser (d:\docs is shared as Crawl-docs$). Then I only allowed domain admins and the crawler to see the share and limted connections to the share to 10. Then I created the content source to point to the share and that worked.
The next problem was how do I hide the actual path to the document? Under the SSP -> Search Settings, there is a feature called Server Name Mappings that allows you to mask the URL that gets returned in the search results. I added a server mapping for my file share as http://archive (I also added a DNS entry to point to this site). Then in IIS I created a virtual directory on my file share that exposes the files over http. I only allow authenticated users to the file share and did not enable browsing so that the users would have to know the URL to the document to see it. I found that you have to recrawl after you change the server mapping.
The benefit is that I don't have provide the users with a path to the actual file share and I can ACL the files in one place, while still allowing users to search it.
Now what if the network file share isn't member of the domain? This one was tough as there is no way to create a rule to that uses a local machine account to use when crawling the file share; only certificates, basic or domain users are allowed. Luckily it was a windows machine so I create a hidden share that allowed Everyone read access to it. That worked.