Beginning with TFS 2008 SP1 you can specify that only the necessary part of the Work Item meta data will be transferred to the client caches, e.g. not the meta data for project you have no permission on. This is not done by default.
You can read all the glory details in Martin Woodward’s blog. Short excerpt:
Enabling WIT Meta-data filtering
Now that we have been through all the gory details, let’s finally see how to switch on the feature.
In the appSettings section of the %ProgramFiles%\Microsoft Visual Studio 2008 Team Foundation Server\Web Services\WorkItemTracking\web.config file add the following keys1: <add key ="filterClientMetadata" value="true"/>2: <add key ="excludedUserAgents" value="WebAccess:w3wp:witfields:witimport:witexport:witadmin"/>
The filterClientMetadata switch determines whether to filter client metadata based on the calling user’s access rights (true) or not (false). If not provided the setting will default to false.
The excludedUserAgents switch is a colon delimitated list of strings that may appear in the requested clients HttpRequest UserAgent header. You can take a look at your IIS logs or your TFS Activity logs to determine what user agents are used, but a handy feature of the TFS .NET API is that the executable name using the API is recorded in the user agent string, meaning that you can easily find your specific utility and exclude it if necessary. As far as I am aware, the only publically accessible application that makes use of shared meta-data is Team System Web Access, so we put “WebAccess” in our excluded user agents setting. We also put in the names of the utilities in Team System that need to see all the metadata to report back correct information to the TFS administrators.