The users must have read and execute privileges to the packages. The preferred method of protecting users from being able to execute a ThinApp package is to use PermittedGroups parameter. Locking the packages to different AD groups.
I guess you could play around with list or read only access. Problem is if the package can be copied locally can users execute it. Much easier to use built in AD group protection.