Usually, what happens in access point is that, the user can see all files, but when he clicks on a particular file, access is granted/denied based on security settings set up in publisher for that file and user
When the user A goes to the access point URL, he should not see any files in the 1st place.
I know there is a login option for access point in QEMC settings.Have you ever used it. How does it work? Does the user need to log in again? what kind of login credentials are required there?