I'm back with another Flex/Flash security question. I've already received some help from the community on this topic, but I'm still not quite sure this is the best way to do.

Here's the thing. A flex web app, a lot of users (1000+), custom configuration of the application depending of the user group. Can I make this thing safe... or safer.

For the moment, when a user comes to the application, there is only one configuration possible, but for the next version we've implented a multi-configuration protocol, this way :
1. The user connect to Default.aspx, server code process the windows credentials (whe are on intranet) and give the correct xml configuration file.
2. The flex app loads with the xml conf file as a flashvar and then the app 'builds' itself with the content of the xml file.

As we know, since this is a flex application the swf is downloaded on the client computer and the xml file too. If more than one user connects to the app, from the same computer, the can possibly see the other xml file in the windows temp folder.

The current directory of the application looks that way :

Web site
    |-> default.aspx
    |-> index.swf 
    |-> configAdmin.xml 
    |-> configUserType1.xml 
    |-> configUserType2.xml 
    |-> com 
         |-> a lot of swf and xml files

I was first thinking making another directory (without read access for the client) containing all the configurations xml files, picking the right one, copying it to the client and deleting it afterwards. But it seems like I must let know the user know when downloading/deleting content on it's computer...

I'm running out of ideas, so I hope you have some great ones. It's there are some design flaws (in the way the app is build, not in Flash :p) please share. I'm always looking forward to improve.

Thanks

Update : In browser Flash/Flex (without AIR that is) doesn't allow deleting file localy silently (on the client computer, where the application is). It's also not yet possible to get session data.