MacOS – Preventing access to mounted volumes for non-admin users

It's easier to just have each user store their private information in encrypted disk images since the old Filevault (1) method of encrypting the entire home folder isn't something you can set up on Lion with easy tools.

Lion does still support it, so you could migrate in a shell system that had the necessary accounts set up to use file vault, then encrypt the drive and finally move in the files from a backup external drive and presumably have both the legacy filevault storage scheme as well as the new scheme where the entire disk is unavailable until the drive password is entered.

Keep in mind - root (and any admin user that knows sudo) has total control of the system and can delete, remove any protection that was set by root. Using encryption with a distinct password is the only method to prevent root from actually making sense of the files it can easily access.

AFP mounts are tied to both a path and an authentication.

An exported volume might have multiple paths. For example, an OS X server might export its root, the /Users/ folder, and the /Groups/ folder. Each of these can be mounted separately. In your case, your NAS may be exporting its volume under multiple paths. It might even be exporting the same path multiple times. Check the NAS' settings.

Each AFP mount is tied to a particular authentication (username/password). You can mount the same volume/path multiple times using different authentications. Its possible that the credentials you used in those two different places are subtly different. Depending on the NAS, it might even come down to whether your long username or short username are used. Your NAS might not even require a username (only a password) and might ignore whatever username is given. OS X has no way of knowing that and so two different usernames (long versus short) might produce two different mounts even though they lead to the exact same volume.