BusinessObjects Folder Security

I have a user group that runs Web Intelligence reports. I've noticed that when they run these reports they have access to the Open button and they can see folders that I don't want them to see. In fact, I would prefer that this group not have access to the Open button at all, as the link they use should execute this report and only this report. The security for these folders shows that this group has 'View On Demand (Inherited)' listed, and I can't remove it. How do I get this security the way I want? Is there a good CMC security document somewhere?