The scope of Everyone, Auth Users and IUSR_Machine accounts

From: FB (FB_at_discussions.microsoft.com)
Date: 08/23/05


Date: Tue, 23 Aug 2005 11:50:19 -0700

I´m testing a web site hosted on a Win2003 machine with diverse content (asp,
htm, pdf, etc) and i´m confused about certain concepts on authenticationa and
authorization access.

i have a folder with ZIPs and ASP pages and ONLY Anonymous access enabled.
i have made several tests, changing NTFS permissions (IIS permissions is
always as Read) and the results were strange.

IUSR_ and Users group have Logon Locally Right and Let Everyone Permissions
Apply to Anonymous is on default (Disabled)

If IUSR_MAchine is anonymous user, access have to be denied when ONLY
Everyone or Users is permitted on ACLs. Is it right?

The tests i´ve made with RX permissions on NTFS Folder´s ACL

=============================================
ACL on folder ACTION
RESULT
=============================================
Everyone Get zip file and process ASP page OK and OK
Auth Users Get zip file and process ASP page OK and OK
IUSR_Machine Get zip file and process ASP page OK and OK
Users Get zip file and process ASP page OK and
OK
ASPNET Get zip file and process ASP page 401.3 and
401.5
SYSTEM only Get zip file and process ASP page 401.3 and
401.5
=============================================

If IUSR_Machine user is a nonymous user, why NTFS´s ACLs with Auth USers or
Everyone we have normal access? If IUSR_Machine user is accessing the web
page, why it can access even without proper NTFS permissions?