Re: Prevent users from downloading files

From: Bernard (qbernard_at_hotmail.com)
Date: 08/14/03 

Date: Thu, 14 Aug 2003 10:40:47 +0800

You have two ways to do this.

1) the native way - use IIS authentication which link
to Windows users database, then control file access by
configuring NTFS permission..

2) the custom way - use your own db to control access level.

You are in 2)... and because of this you might get better response
in aspnet group. basically you track your user, after they logged in.
assign some session value, and their rights, when come to the
download pages. check those value if not correct redirect to login,
display warning msgs. and etc. if valid.. then display related file
list.... what you might also do is put 'those' file outside of webroot
and it's child path.. because if user knew the url path, they can
retrieve directly... the aspnet expert will advise you more. 

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"Juan Renjifo" <jrenjifo@yahoo.com> wrote in message
news:uw078abYDHA.1004@TK2MSFTNGP12.phx.gbl...
> Hello,
>
> Is there a way in IIS to prevent users from downloading files in a virtual
> folder
> arbitrarily?
>
> I have a virtual folder that contains files available for download.
> Only *certain* people, once authenticated, should be able to download
> *certain* files.
> In a SQL database, I have a table that stores which files are available
for
> which users.
>
> The website is public, so anonymous connections should be allowed.
>
> I want the users, once authenticated against SQL server, to go to a
specific
> page (download.aspx) before downloading any files. This page is generated
> dynamically and only shows the files the current user is allowed to
> download.
>
> Can IIS reject any request that is not originated from that page?
>
> Right now, everybody, even anonymous users, could download any files by
> entering the URL of an existing file in the browser, and that's
definitively
> something I don't want.
>
> Any ideas would be greatly appreciated.
>
>

Relevant Pages

  • Re: Authenticate against AD
    ... don't think that I want to turn on Integrated authentication. ... with some other kind of IIS authentication? ... > accomplish what you want to do. ... > Some of my pages show a list of Word documents that a viewer can download. ...
    (microsoft.public.inetserver.iis.security)
  • Re: HELP!!! IIS wont display a Powerpoint presentation when Basic Authentication is enabled
    ... does the PPT download properly? ... IIS is not responsible for displaying any Powerpoint ... After authentication and authorization takes place, ... and then opens it. ...
    (microsoft.public.inetserver.iis)
  • deploying .exe over the web
    ... like to deploy over the Intranet for my team to use. ... IIS ... is telling me that the .exe is a download and requires ... wants to run it and providing authentication? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HELP!!! IIS wont display a Powerpoint presentation when Basic Authentication is enabled
    ... When I have the Basic Authentication checked for that site, ... IIS is not responsible for displaying any Powerpoint ... > to either send the file as a download, or execute the file on the server. ... > and then opens it. ...
    (microsoft.public.inetserver.iis)
  • Re: INETINFO.EXE
    ... As far as I am aware I do not have IIS installed nor do i run my home system ... not use my system as a server any way. ... > process if you are running Windows XP Professional and have IIS ... > direct download should not be trusted, the vendors sites are the safest ...
    (microsoft.public.windowsxp.security_admin)