You may want to take a look at the Attachment_CanOpen workflow event trigger. Something like this should get you started in the right direction. You should find the Attachment_CanOpen function in the Common Script section of the Script Editor.
Function Attachment_CanOpen(Attachment)
'Use ActiveModule and ActiveDialogName to get the current context.
On Error Resume Next
'Checking if the attachment is in the Run Details window.
If ActiveDialogName = ''Run Details'' Then
'Define who CAN open the attachments.
If User.IsInGroup(''Developer'') Then
Attachment_CanOpen = True
Else
'Deny anyone else
Attachment_CanOpen = False
MsgBox ''No permissions to open attachment.''
Exit Function
End If
End If
'maintain default attachment processing for other modules.
Attachment_CanOpen = DefaultRes
On Error GoTo 0
End Function