FileSystemRights Issues (C#)

I'm fairly new to file systems and permissions/rights access (aka Access Control List, ACL). While coding with regards to ACL, I am not able to set properties I want to the files. I'm unsure if my understanding of FileSystemRights members are wrong, or I'm totally doing the wrong thing. (And I'm spending quite some time on this part already)

What I'd like to do is change the rights of a file, so that it can only be soelly readable AND cannot be edited, renamed, deleted开发者_如何学运维 and copied elsewhere.

Using the MSDN's example, here's what I have so far:

try
{
    //Get current identity
    WindowsIdentity self = System.Security.Principal.WindowsIdentity.GetCurrent();

    // Add the access control entry to the file.
    AddFileSecurity(filename, self.Name, FileSystemRights.Modify, AccessControlType.Deny);
    AddFileSecurity(filename, self.Name, FileSystemRights.Write, AccessControlType.Deny);
    AddFileSecurity(filename, self.Name, FileSystemRights.ReadAndExecute, AccessControlType.Allow);

    // Remove the access control entry from the file.
    RemoveFileSecurity(filename, self.Name, FileSystemRights.ReadAndExecute, AccessControlType.Deny);
    RemoveFileSecurity(filename, self.Name, FileSystemRights.Read, AccessControlType.Deny);

    Console.WriteLine("Done.");
}
catch (Exception e)
{
    Console.WriteLine(e);
}

My logic is that:

1. Add Deny Modify rights (Denying .Modify will cause the file to become unreadable)
2. Add Deny Write rights
3. Add Allow ReadAndExecute rights
4. Remove Deny entry on ReadAndExecute (As .Modify denies ReadAndExecute)
5. Remove Deny entry on Read (As .Modify denies Read)

Am I doing this part correctly? If not, please advise on what should I do to make the file only readable only and not editable, renamable, deletable and copiable. Many thanks in advance!

Please explain what it is doing wrong. The only thing I see that may be an issue is that you're setting the permissions for yourself, but not the other users, or groups. Perhaps you should iterate through all the groups (admins, users, etc) and disable all but read&execute. Although I think SYSTEM always has full control of all files.