Bill, what do you typically recommend in this case? Do you set the Deny permission on all permissions for every project group? I have found what I thought was a clever way to do this but I want to get your opinion. I did the following:
1. right-click the branch or folder in question, and choose Security
2. Add Team Foundation Server Group "Project Collection Valid Users"
3. Set deny on all items except Read and Manage permissions.
Then EVERYONE in the project collection is locked out by clicking the deny settings in one place, one time. Having to change settings for multiple groups is error prone. And it is easily reversed by someone with sufficient authority. That reversal
capability is great to prevent unintentional hassles. But since the setting can be changed back and forth indefinitely, auditors would have to view history and examine to ensure no changes were made after launch date, since an administrator could remove the
Deny, make a change, and reapply the Deny. There wouold be no evidence of the security change, though there would be evidence of the code change.