Thank you so much! That makes perfect sense. "Only users in your organization" seems like the most secure choice for my situation.

Yes, especially if you enable this just for a hand full of users (through a group), as you described. 

I really appreciate your clarifying the difference between "anyone" and "only users in your organization" here!

I was told by Google Support that to turn on Visitor Sharing (FYI the documentation online is still incorrect...) that I have to both allow the highest level of Access Checker (Recipients only, suggested target audience, or public (no Google account required)) AND have to set "Distributing content outside of <business>" to ANYONE.

We really only want to allow outside collaborators without a Google account to have visitor access to simply collaborate on/edit a shared doc. We do not, ideally, want them to ALSO be able to distribute/share the files. 

Anyone have a workaround or solution that satisfies these parameters?

It's possible for folks to create a (free) Google account that uses their existing non-Google, non-Gmail email address. See the "Use an existing email address" section of https://support.google.com/accounts/answer/27441?hl=en#:~:text=Use%20an%20existing%20email%20address... for all the details.

This is conceptually no different that needing to create a Dropbox account to be able to access Dropbox, or a Facebook account to access Facebook, or whatever. Unless the user is logging in, there's absolutely no way to tell whether they're the user that should have access to a particular piece of content.

Hope that helps,

Ian

I appreciate the suggestion! I rushed to test this out since it's such a graceful solution, but sadly it doesn't work. Even though shortcuts don't appear to have owners, it wouldn't let me create or move a shortcut into the external Shared Drive. Allowing "Distributing content outside" allows a shortcut to be made, but with that enabled you can put a full file there too.