I'll tell you why I picked the one I picked. The key here is what we want to improve: You want to further increase the security for all <b>connections</b> to files on FILE3.

1) Modify the authentication method for the IPSec policy on FILE3 to require a certificate and install certificates on all client computers in the Research OU.

Then there's the risk of said certificate being put on other machine, with possibility for tampering and unwanted access.

2) Reconfigure the IPSec policy for FILE3 to use the Server (Request Security) IPSec policy.

I didn't see any improvement in security here. It seems to just move the issue from clients to server. The communications aren't more secure.

3) Configure the key exchange settings for the IPSec policy on FILE3 to use Master key Perfect Forward Secrecy (PFS).

I don't know the details on that one, but the idea to use secured key exchange seemed to improve security (less tampering possible), which we want.

4) Create a Group Policy object (GPO) that assigns the Secure Server (Require Security) to the Research OU.

I don't really know how that one works, but it doesn't improve the security of the communication.