I don't see why you'd want to use File Storage. These old email archives aren't files that people are going to be uploading, downloading, modifying, etc., right?
If you use Static Pages, there might be a better way to do it, but worst case, you can always handle the access control with an AOLserver registered proc or filter. That wouldn't be too hard.
Besides the searching part, what you've got here is a permissions mapping problem. In general, one way you can always solve that, is make your own little OpenACS package to model the mapping in the RDBMS. Create one acs_object for every entity you need to set permissions on. E.g., if the finest permissions granularity you need is "email list name", then you just create one acs_object for each email list. And set the permissions the way you want on those acs_objects - e.g., only readable by members of such-and-such group.
Once you have your permissions modeled in the database, then all you need some Tcl code to enforce those permissions. Basically, that means write some Tcl code to intercept requests for the URLs where the email archives actually live, figure out what acs_object maps to that URL, and do a permissions check on that acs_object. An AOLserver registered filter or registered proc is the most traditional way to do that. Which probably seems familiar from OpenACS 3.x. :)
There might be and probably are handier or better ways to use various OpenACS facilities to accomplish the same thing. .vuh files, the subsite stuff Randy mentioned above, etc. But it's all definitely doable.
Oh, and of course, every OpenACS package you create automatically comes with at least one acs_object you can set permissions on - the package instance itself. So in some cases, you might not need to write any data model at all, just mount, say, 5 instances of your package, one for each of your 5 email archives, set permissions on each package instance, and poof you're done. The ACS Request Processor automatically enforces permissions on mounted package instances, so the "write some Tcl code to enforce the permissions" part has already been done for you.
It's been a long time since I looked at Static Pages, but if I remember right, the simplest way to do this is probably to mount one Static Pages instance for each email archive sub-tree that you want to set permissions on, and just set permissions on each package instance. If that doesn't fit well with the content and access control you need, then probably fall back to writing you're own little data model and code to enforce its permissions.