Yeah.. this seems like an idea that's impossible to enforce with a technological limitation. Either they have access to the bits, or they don't. What's to stop them from opening a document in the appropriate program (say Adobe Acrobat Reader) and then doing File -> Save from the program itself. At that moment CIFS isn't in the loop, there is no way to control access to what is going on inside Adobe Acrobat, and you can't do a darn thing about it.
There are some websites that for a fee let you view PDFs of courthouse docs. They charge one fee for a 'view' and another for a 'download'. Of course, once you've viewed the file you can just click 'save' and get a copy without paying for the download. They anticipated this and made it so that their webapp displays one PDF per page of the doc. So obtaining the document through 'view' and save results in over a hundred PDFs per doc. Paying for a download gets you a single PDF. They went through this because of what cyberjock pointed out above. Once it's loaded in acrobat, the file is on the client computer.
Your client just doesn't understand tech, but that's good (it's why he hired you). It's your job to communicate, figure out what he or she is worried about, and figure out the best way to mitigate the risk. Get facts, diagram stuff (visual aids help a lot), and have a frank discussion.
From what you described a good place to start is putting passwords on stuff.
If they are a bring-your-own-device sort of place then push workstation purchases. A windows server handling wds, wsus, and AD would probably be good if you have more than 5-10 computers you're dealing with.
Based on what you've described you'll also want to make sure that the freenas server actually has ECC ram / is not built to catastro-fail, and that backups are being done.
