There are several ways to achieve this:
a) Use MountCapableFileSystemProvider class to construct a virtual file system from specific file system directories the user should have access to. This can be done on-the-fly inside a custom authentication provider which is called when the user is logging in.
b) Give users access to (let's say) C:\, but use file system notifiers API to prevent users from seeing (or indeed accessing) files and directories they are not supposed to see (or access). To hide files or directories from a listing, use
GetChildrenSurrogate notifier event.