RE: Website allows everyone in, not matter what

From: Chris Martin (
Date: 06/25/04

Date: Fri, 25 Jun 2004 08:41:43 -0700

It might be because you have anonymous access enabled. You can diable it in the directory security tab while in the properties for the site. You should see a check box that says something about allowing anonymous access. I suggest right clicking on the directories that you do not want users to have access to, and then click on properties. Once there, i think you click on the directory security tab.. then uncheck the allow anonymous checkbox. I dont have IIS here to double check, but that might initially solve your issue.

Overall i think it might be better to not use windows users for authentication to the site. At least right now ;) I'd suggest creating a database to store user information and code the site for user permissions. I know this will take a lot of work, but i think that's the preferred practice. Most people do not give out user logins to people that are internet browsers. This might cause some interesting web site compromise if the user hacks your site. If they hack your site, they will be able to get at your system via a user login, which is bad. Microsoft already greatly restricts the anonymous user from accessing the system. users have more abilities within the system.

I wouldnt be surprised that 5 years down the road (one more server OS release by microsoft) that they will be able to integrate AD to handle access rights for different users on a web site.

This is mainly my opinion, if anything know's or thinks otherwise, feel free to speak up. I'm always ready to learn something new :)

"Tom Pennington" wrote:

> Okay, I have created a web site that is open to the public, yet there are
> pieces that need username/passwords to be able to get in, at least I
> thought.
> NTFS Permissions are set so that only members of a particular group can get
> to this directory, IIS Admin has this directory set to not allow Anonymous
> access, yet people can get in. Here's the scenerio:
> 1. User is created in AD and put into a particular group (i.e. NO-Access).
> 2. User (member of NO-Access group) goes to part of my web site and it
> comes up and prompts for a username/password.
> 3. If the user types in the username and password, they can get in. If
> they click on cancel, then they get the 401.2 (unauthorized) error, which is
> what I would expect.
> I'm baffled. I've checked the effective permissions for this user and
> according to NT, they do not any rights to the directory or the file in
> question, yet they can still get in. The error log shows error 200 0, which
> means they got in with a valid username/password.
> The environment is: Windows 2003 (fully patched), IIS6 and NTFS for the
> drives.
> HELP!!!
> thanks,
> Tom