Storing Files in a folder

I am working on a php/mysql application that will be running on an intranet based environment on a windows server.

I am not storing images and files in the database as it iwlll get heavy , so it will be stored in te folders.

For folders - is the folder permissions enough to secure those files?

It depends what you mean by secure - but generally, yes they will be fine as long as you deny access to the server other than a few specific users.

As long as you just need IIS to fetch those images, setting the NTFS permissions should be sufficient to secure access to those files.