I am working on a php/mysql application that will be running on an intranet based environment on a windows server.
I am not storing images and files in the database as it iwlll get heavy , so it will be stored in te folders.
For folders - is the folder permissions enough to secure those files?
It depends what you mean by secure - but generally, yes they will be fine as long as you deny access to the server other than a few specific users.
As long as you just need IIS to fetch those images, setting the NTFS permissions should be sufficient to secure access to those files.