Just this week, I accidentally found out that users were able to access Site Settings page, with some sections open out publicly accessible, for example the Regional Settings column! This raise a security threat as we don’t want users to be able to touch these settings. After much digging, I realised it’s because one custom permission that was created for the users have “Browser Directories” permission checked. Once this is unchecked, then they are denied from accessing the setting page.
Infopath has the ability connect to an external data source for data. The problem is there’s not a lot of information available on the net in guiding you to do this. You will most likely bump into problem when publishing the form to run on browser, to your production server where there’s multi-tier architecture (i.e. having multiple servers).