This directory should not be under your document root, instead it should lie outside the web server root, and you should use a php script to handle the download and the file and folder listing. This way when the user clicks on "http://example.org/foo/bar/word.doc"; the "/foo/bar/word.doc" will be stripped of with a rewrite rule and sent to "download-or-list.php (for example) which should access the file and send it along or list the contents (in the case of clicking on "http://example.org/foo/bar/";) and output that.
You would then use permissions to allow access to the files on the shared drive by the domin user that the apache web server (and php running inside it as a module) - and these should be as restrictive as you need to make them. Sent from my BlackBerry® wireless device
