Security Permissions question

Parent Folder

-Child Folder 01

-Child Folder 02

-Child Folder 03

If a user in a Domain Local AD group that has access to CF01 and CF03, I want them to be able to navigate to Parent Folder and only see CF01 and CF03,\\domain\dfs\parent

As part of that, I want them to be able to add files and folders to inside either CF01 or CF03, BUT I don't want them to be able to inadvertantly drag/drop the CF01 folder into the CF03 folder.

Rather than type out each setting, I've included the Powershell get-acl output for all three folders.

I'm almost there, because I've got User1 only seeing CF01 and CF03 and they are able to open and view the contents, and not see CF02.

User1 can add files/folders to CF03, User1 can edit files in CF01, but can't add files/folders to CF01.  User1 can't drag/drop CF01 into CF03 and vice-versa (which is what I want).

Does it look like I'm overlooking a setting on the Security tab of either CF?

Path   : Microsoft.PowerShell.Core\FileSystem::\\domain\dfs\parent
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         DOMAIN\Administrator Allow  FullControl
         DOMAIN\DL_DM_ALL_LFC Allow  ReadAndExecute, Synchronize
         DOMAIN\DL_DM_IT_FA Allow  FullControl
Audit  : 
Sddl   : O:BAG:DUD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FA;;;S-1-5-21-2670568672-578679464-3423941738-500)(A;;0x1200a9;;;S-1-5-21-2670568672-578679464-3423941738-4677)(A;OICI;FA;;;S-1-
         5-21-2670568672-578679464-3423941738-4679)
Path   : Microsoft.PowerShell.Core\FileSystem::\\domain\dfs\parent\CF01
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\DL_DM_CF01_ALL_MOD Allow  Modify, Synchronize
         DOMAIN\DL_DM_CF01_ALL_LFC Allow  ReadAndExecute, Synchronize
         NT AUTHORITY\SYSTEM Allow  FullControl
         DOMAIN\Administrator Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         DOMAIN\DL_DM_IT_FA Allow  FullControl
Audit  : 
Sddl   : O:BAG:DUD:AI(A;OICIIO;0x1301bf;;;S-1-5-21-2670568672-578679464-3423941738-4683)(A;;0x1200a9;;;S-1-5-21-2670568672-578679464-3423941738-4691)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;S-1-5-21
         -2670568672-578679464-3423941738-500)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;S-1-5-21-2670568672-578679464-3423941738-4679)

Path   : Microsoft.PowerShell.Core\FileSystem::\\domain\dfs\parent\CF03
Owner  : BUILTIN\Administrators
Group  : DOMAIN\Domain Users
Access : DOMAIN\DL_DM_ALL_MOD Allow  Modify, Synchronize
         NT AUTHORITY\SYSTEM Allow  FullControl
         DOMAIN\Administrator Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         DOMAIN\DL_DM_IT_FA Allow  FullControl
Audit  : 
Sddl   : O:BAG:DUD:AI(A;OICI;0x1301bf;;;S-1-5-21-2670568672-578679464-3423941738-4689)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;S-1-5-21-2670568672-578679464-3423941738-500)(A;OICIID;FA;;;BA)(A;OICII
         D;FA;;;S-1-5-21-2670568672-578679464-3423941738-4679)