Active Directory/Domains

Hello:

Our organization is in the process of implementing a subdomain of our primary domain. We would like to make it to where users of the primary domain can access all resources of the subdomain. Also we would like to make it to where subdomain users cannot access the primary domain. I really can’t figure out any good way to do this since the primary domain will always trust the subdomain by default. Any thoughts or suggestions?