I have created a new no-code expenses solution in SharePoint 2010 (with InfoPath 2010) and was going to permission individual documents via SharePoint Designer workflows.

However, after a recent conversation with Microsoft technical experts the suggestion was that if there are going to be more than 5000 items in the library then we shouldn’t be setting unique permissions for each form due to performance degradation.

So whilst looking at other options I came across an out of the box STSADM command to block regular users from accessing the forms pages in the new expenses site.  This would prevent a user from getting to pages such as allitems.aspx:

stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml
More info here: http://blogs.msdn.com/b/russmax/archive/2010/01/22/lockdown-mode-in-sharepoint-2010.aspx.  In my case this is for authenticated users – once activated I also had to remove the “View Application Pages” permission from the Contribute permission level I was using.

This would have been a great solution, however the downside was that enabling this feature also blocked regular users from connecting to the .aspx pages in the _vti_bin folder.  There are pages in here that are required for my InfoPath form when it opens – lists.aspx is one.

What happens now is the user gets prompted to enter a username and password when they open the form, but their own username and password doesn’t work as their access is blocked.

So I deactivated the lockdown mode with this command:

stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml
And checked that users could again see the allitems.aspx page, and they could.  But the _vti_bin location was still inaccessible to regular users.  Puzzling.
The solution I found was that I had to create a new permission level in the site (by copying the Contribute permission level I was using) and assigned all authenticated users to it.  This resolved the issue connecting to _vti_bin pages and users are no longer requested for a login prompt in the InfoPath form.