ACLs for Hiding Folder and Preventing Opening of Files

I thought I had a reasonable understanding of ACLs, but the behavior of OS X afp shares baffles me.

I need to do two things:

• Hide selected directories within a share from all members of a group. They should be unable to see that these folders even exist.
  
• Prevent members of a group from opening files on a share, while allowing them the ability to copy the files. The idea is to force them to copy files to local storage in order to open them.

I'm clear the deliberately crippled control over ACLs Server.app provides is likely insufficient to the task (really? no deny capability? ***?). My attempts to deny all privileges using the command line look good on paper, but in practice create bizarre effects whent the client views the share, such as the denied folders appearing to be inaccessible replications of the containing sharepoint.

Advice will be much appreciated.

I running Server 3.0.2 under 10.9.1. All the client systems are running 10.9.1.