Yes, just need to Enable Security on the enhanced folder  and list who
has access  to with their rights.

but the Administrator of the workspace, using the server, can
still get to the folder  and change the permissions.

I am trying to create a folder, or protect a document, so that *only*
the people who have access  can access and anyone else, including co-
ordinators and administrators, can not overwrite the permissions.

No matter if you place it into an enhanced folder  or a standard folder,
anyone who is a local admin will have read access  and set security
access.
The only way to limit who has access is to :
1. Assign proper users/groups to the roles on the folders.
2. Limit the Local Admin group.

You can not deny or remove the Local Admin Privilage.

Once you create the enhanced folder, go into the properties of the
folder and remove the administrator from the security  list. Make sure
you uncheck the box that states something like "inherit security from
parent node". Only add in authorized users for that folder.

I tried that, and it does prevent unauthorised people from getting in
as long as they don't use the SharePoint machine itself.

I found that by using the SharePoint machine, and logging in as the
Administrator, I was able to browse to the folder  and view any files
inside.

I even tried creating a file inside the folder that explicitly denies
the Administrator access; this has no effect. The Administrator could
not check out/in the document, but they could read it.

Anymore ideas anyone?

The help files will explain this. Local Admins have read access  and
change security  access anywhere in the system. Sharepoint will override
any deny access account when the account is a local admin. The only way
to limit the privileges of a Local Admin account is to limit the local
admin account members to those are trusted within your org.

I'm not a network admin, but I was able (with help from our network folks)
to create a document  folder called Private. I gave the coordinator right to
our CTO, and author rights to two others. Any folders they create underneath
will inherit these rights.

Then, in IIS, I opened that folder  and denied access  to the folder to
everyone in the company  but those three people. When anyone but the three
click on that folder, they get a customized error message indicating the
resource is off limits. Of course I had to be given rights to the folder
WHILE I CREATED IT AND PROVIDED THOSE SECURITY SETTINGS, but once they were
there, I could remove myself (actually removed my IP address) from access.
Now there's a secure lockdown on the folder that should be sufficient for
our purposes. I have no illusions that someone with abilities couldn't get
in, but they'd have to work at it, and I believe a breach would be logged.

If anyone can think of an obvious way this is insufficient, I'd love to hear
that.