Revoke Inherited Permissions in Pipeline Pilot 9.5

We have an issue with applying access rights to protocol folders in the Pipeline Pilot Client. We need to restrict permissions to certain folders contained within the Protocols\Web Services folder. Currently, we have applied permissions at the root "Protocols" folder to several general AD groups, but it seems that inherited group permissions in sub-folders cannot be revoked or set to "none". The best I can do is to set them to "Read," which doesn't work for our use case. They need to be completely hidden. 

The only way I found to do that was to remove group permissions at the root and set the "everyone" group to read, and then set the "everyone" group to "none" in the folders we need to restrict (while granting access to a limited AD Group).  

Is that the only way to restrict permissions? if so, we will have to reapply the general AD group permissions to all of the individual Web Services sub-folders, which is not ideal. Is there something that I am missing?

We are using Pipeline Pilot 8.5 and 9.5, and we are not using Foundation Server (if that matters). Also, is the permissions scheme the same in 2017 R2? Would using Foundation Server change how permissions are applied?