Jason, may I re-visit a (key) bit of the detail here?
The site is half http and half https. So, as far as I can see:
I first need to set the https folders off-limits to everyone. Then I selectively make accessible folders in https, according to user level.
As mentioned above - but not necessarily relevant here, since you have pointed me to the user level tutorial - there are four user levels The two most junior levels each have access to a couple different folders each. Then the next level up has access to the combination of all four of the junior level folders. Finally, admins have access to the entire https area.
May I check please - is it correct to first set all https off-limits, then selectively grant access by user level? If so, to check, what may I have left out?
Much thanks, David