Creating a very limited user account to run a service

Hi everybody.

I've looked everywhere, I googled, I read windowssecurity.com, I found
no information on how to do this :-(. So I have to ask for help:

I want to run Subversion as a service on a Windows XP 64bit Pro
machine. To do this, I use SrvAny.exe by Microsoft. I created a service
that runs svnserve.exe (Subversion's server process).

My problem is this: I want to create a user that svnserve.exe runs as
that is restricted to read just the directory that contains my code
repository, nothing else. The user can't login, can't open any files or
anything outside of c:\repositories.

I created an user-account called SVN (with password) using the
Computer-Management MMC and didn't add it to any group, so that it
doesn't inherit existing group-level permissions for "Users". Then I
used the Local Security Policy Snap-In to give SVN the permission to
"Logon as a Service".

But this doesn't work as it seems that any process automatically is
part of the Builtin\Users-group that, according to Sysinternal's
ProcessExplorer, is "mandatory" (whatever that means). Users has
Read/Execute rights on c:\ and these are inherited by c:\repositories.
So while SVN might not be able to read or open files, any process
started by SVN can... as far as I understand that.

However, removing "Users" from c:\ and adding SVN to c:\repositories
with "Full Control"-privileges interestingly removes SVN's ability to
read or write files vom c:\repositories even though the user account
has full control privileges...

please help me, I have no idea how to do this.

How do I create a user-account that has access to only one directory?
(and additionally all libraries that are needed to run a Win32
executable, presumably read&execute access to c:\windows and
c:\subversion)

Thanks!
-Jonas

.