Hi Arny,
Depends on what you mean with portable. Firebird has an embedded version that works on Windows and people have worked with an embedded version on Linux/OSX
http://www.firebirdfaq.org/faq51/ (a bit old and C centric) and
http://www.mwasoftware.co.uk/index.php?option=com_content&task=view&id=105 (Linux, FreePascal centric).
Having an embedded Firebird Lazarus app on Linux is still on my nice to have list...
The fundamental point is the same though: the user has access to the database file and could run strings, grep etc over it. So confidentially is out the window, unless, as you say, the program encrypts the data. (Of course, depends also on how the binary format is scrambled. IIRC, Firebird uses RLE compression for at least memo fields, if you're lucky also varchars, so that might help - EDIT: Nope, just ran strings on one of my databases, could see a lot of data in VARCHAR fields...)
Access control can actually be solved at the file level: just store the database file in a user's programdata (can't remember exact name)/my documents folder.
If permissions are correct, other users won't have read/write access to the db file.
Oooh, unless you mean that different people on the same pc must have different access levels on the same database.
You could do something like a password hash computed as SHA1(salt+username+password+access level). The username would be the windows user name.
You can store the "plain text" salt in an innocuous table, or in the user table with a misleading field name. I'd store the access level in the user table.
Then calculate the sha1 hash from the various elements.
Using a Win API call you can retrieve people's user name, so they'd just have to enter their password. This blocks people from trying other user names.
A simplified version could be SHA1(salt+username+access level) - don't use a password.
Of course, when people change their Windows user names, they'll be stuck. Could be a viable tradeoff as I suppose you'll be targeting small businesses. You could have a master/support user as well, or you could of course calculate the hash for such a key in advance and use it during support.
Will not stop a dedicated, knowledgeable person, but you're not looking into keeping the NSA out
Maybe you could look into always using a (Firebird) server. Easy to set up (you can take an obscure port, use netstat -a to check if it's in use, change Firebird's port to that, show that to the user to note, and write it to a config file).
If you're in small business mode, just let FB listen on 127.0.0.1 only, otherwise on 0.0.0.0 (all addresses).
Result: one database, one way of programming. Slightly more complicated for people to figure out where the database is stored.
<Edited 9 October for clarity re Windows user names>