Well, who knows about this notes.ini parametr? Not me, and it’s documented 🙁
When you use Directory link, which I use time to time and really like it, because it powerful feature of Lotus Domino, I know that you can hide this directory for some users. I also know, that if these users know the directory name, they can type it in Open Database dialog box and voila – the directory will open. But I wasn’t aware, that when you use ENABLE_ACL_FILES=1 parametr in notes.ini, which is enabled for servers in xSP configuration by default, the ACL is checked on directories as well and there should be protection. OK, learning every day is really fine.