RE: Question regarding in Forms authentication

From: Joseph MCAD (
Date: 04/06/05

Date: Wed, 6 Apr 2005 08:17:07 -0700

  April 6, 2005

    Hi! Denying users that you know cannot access something is always better
than specifying only which users are allowed. Don't get me wrong, you have to
specify all users that can access it, BUT if you have a widespread blanket
group or role such as ? then it is best to deny it. Take a look at this

'Windows Authentication

  <deny users="?"/>
  <allow roles="Domain\IT"/>

   You might think that this will block everybody but the IT role, but it in
fact allows ALL authenticated users. This is because the Machine.config has
<allow users="*"/>. If you add this line to the web.config file:

  <deny users="?"/>
  <allow roles="Domain\IT"/>
  <allow users="*"/>

  You see that this will allow all users that are authenticated. Therefore
you should always specify a <deny users="*"/> at the end if you want to allow
only certain roles. This "*" role also covers unauthenticated users, so you
can remove the <deny users="?"/>, as these people will be denied as well.
Hope this helps!

   Joseph MCAD

"Naveen" wrote:

> In forms authentication. In order to restrict certain files from
> anonymous users we should set like
> <deny users="?"/> in web.config file
> Though .NET classes are able to detect the difference between the anonymous
> users and authenticated users then why
> it's not made like
> <allow users="<certain symbol>"/>
> Is there any particular reason by restricting with deny keyword
> ?
> I have already posted in many forums, but results in vain
> hope microsoft professionals may know it
> Thanks in advance