web folder permissions

I have a "web folder" IIS 7.5 server with webdav.

I have a webfolder folder and user folders under this, like userA, userB etc.

User folders have basic auth enabled and anonymous auth disabled. NTF Folder Permissions are as follows

webfolder:

System - Full control

SERVERNAME\Administrators - Full control

SERVERNAME\users - Read & Execute, list contents, read

SERVERNAME\IIS_IUSRS - Read & Execute, list contents, read

UserA:

System - Full control

SERVERNAME\Administrators - Full control

SERVERNAME\users - Read & Execute, list contents, read

SERVERNAME\IIS_IUSRS - Read & Execute, list contents, read

Domain\UserA - Full Control

UserB shouldn't access UserA folder but he can. I don't understand why. You may think that it is because SERVERNAME\IIS_IUSRS has read access but I also have another "web folder" server with same permissions and userB cannot access userA's folders.

I couldn't find out why. Does anyone have an idea?