when you say 'files' you mean the DB files themselves? (DBname.mdf, DBname.ldf).
My pref is to set security @ the MSSQL directory (for 2005 this is: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL) and take the inheritance setting off.
Then assign full control to the sql run time account (the user that SQL server runs under). This way only SQL server can access that directory (all db files, log files, backups rah diddy rah).
You will porobably find Domain admins etc in there too.