fatal security problem

From: Mike Schwarz (ctek@ctek.ch)
Date: 10/10/02


From: "Mike Schwarz" <ctek@ctek.ch>
Date: Thu, 10 Oct 2002 20:00:12 +0200


i have framwork and sp2 installed
win2000 , ii5, sp3
domain controller

i changed the user in config file process modell to user aspnet
with appropriate password
aspnet user is member of usergroup 'domain user' like the IUSR_machine

i have now a script which is able to browser all my web!
as aspnet user needs read/write permission to certain system folders, i can
even browse through this folders and open ASP files, which are not executed
but shown as code! so conx.asp files of databases are fully readable

how can i prevent anonymous users like aspnet and IUSR from browsing files
out of his wwwroot ?

thank you
mike