Abstract: A method for controlling access to network file shares independently from access controls of file shares is provided. The method includes examining a file operation at a client to determine a target destination of the file operation; determining whether the target destination of the file operation is a remote destination to the client; determining whether the target destination of the file operation is in a same realm as the client; and if the file operation is a remote destination and is in the same realm as the client, sending an authorization request to a server. Another method includes examining a file access request of a file operation; controlling access to a file indicated in the file access request based on information in the file access request; and logging accessed and denied file operations.