it's called user groups and advance permission on an NTFS & NFS file system and built into the windows server family.

the previous advice was for the first part of your scenario.

I do not want to let anyone who has access to the server, such as the staff of webhosting company, to copy, or access into the folder and delete/update the user's picture content or file name etc.

for this second part, im a sysadmin and not a developer, so i haven't a clue. on the admin side of things, i know that web applications can take advantage of the windows authorization and authentication to gain priveleges (such as in the case of putty for telnetting, ftp, ASP.NET process identity or ACLs through IIS). you might need to try your luck in codemasters subforum or the msdn library.

http://msdn2.microsoft.com/en-us/library/default.aspx

I only want to grant the access to the web application itself, other than that, no one will be able to access the folder including me unless I write a script and put into the web application folder as part of the application.