Holy cow, I wrote a book!
Here's a question that floated past my view:
How do I set the ACLs on a file so users can read it
but can't copy it?
I can't find a "Copy" access mask that I can deny.
If I can't deny copying, I'd at least like to audit it,
so I can tell who made a copy of the file.
There is no "Copy" access mask because copying is not
a fundamental file operation.
Copying a file is just reading it into memory and then
writing it out.
Once the bytes come off the disk, the file system has no
control any more over what the user does with them.