I would think you can do just READ/EXECUTE for the bin folder and then specifically add WRITE to just the *.dfr file inside bin. This would be slightly more secure.