Re: folder access lan and web



I don't use the UI to do these things so I really don't know what you
are describing.

It sounds like you have the right idea, though there are many details
which can affect whether you succeed or not and whether it is secure.
But, that is always the case -- user configuration completely affects
functionality and security.

I can only say that you do NOT want to enable any sort of "Web"
Sharing (which I think you can find in the Explorer Properties page
under a tab) because that enables WebDAV, which is what causes the
password dialog for http access. You want to leave everything back to
the original configuration when files were readable with anonymous
access.

Instead, you want to enable "UNC Sharing" (which I think you can find
in the Explorer right-click Context menu prior to the Properties
page), which is where you can configure UNC shares which map to your
physical folder.

If you have NTFS, there are now TWO sets of ACLs that you can
configure. One set exists on the UNC share itself. The other set
exists on the files exposed by the UNC share. Your EFFECTIVE access of
this network share is the restrictive AND of both those ACLs.

In other words, if you set UNC share to only allow User1 Read access
and the NTFS ACLs on files shared via UNC only allows User2 Read
access, you will find access denied when you try to access this UNC
share as either User1 or User2 -- because while User1 can access the
UNC share, it has no rights to access the files that are shared, while
USer2 can't even access the UNC share even though it can read the
files in it.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Nov 14, 5:53 pm, "bbxrider" <bxtra...@xxxxxxxxxxxx> wrote:
thanks for the reply
if you can bear with me, i would just like to clear up the terminology
when you say 'add UNC file share' that means simply allowing sharing for
that folder, (vs not sharing) and i can further tweak that by
user permissions, eg, i could say create a user account that has
read+write+delete permissions only, without full control, execute, etc
so that when mapping a drive to a pc on the lan and there is the prompt for
username password, by establishing the map with user
account with limited access from above that 'map' has only those limited
permissions available to it?
yes???
and reading up on smb, it looks like smb is enabled on ethernet by 'client
for ms networks' and 'file and printer sharing for ms networks'
and i never thought much about those since they always seem to be there, so
yes smb is on the lan.
it seems odd that smb would be allowed via internet, i'm not sure what that
would be about, it sounds dangerous and
it sounds somewhat like vpn's i set up to allow remote access to lans as
needed for certain apps
bob

"David Wang" <w3.4...@xxxxxxxxx> wrote in message

news:1195013927.789671.136260@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



On Nov 13, 3:58 pm, "bbxrider" <bxtra...@xxxxxxxxxxxx> wrote:
for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default
permissions, security etc
looks like i have to do this differently
have a folder for images, right now directly under wwwroot, using for
<img
tags for pics, etc on web pages like ebay, and others, works fine
then i went to share it on the local lan so it will would be easy to copy
/paste files there
after enabling sharing on the network or sharing on the web, and trying
to
access files via http, it became pass word protected for http access.
i would like it to be password protected for lan access only, actually so
i
can map drive access to it and allow anon access via http
so not sure how to or best way to do it
bob

You probably accidentally enabled "sharing on the web", which is not
what you want. Get rid of that.

All you need to do from your default configuration is add a UNC File
Share to the wwwroot\images folder. I assume you allow SMB traffic on
Intranet and not Internet.

In this configuration, HTTP can get to everything externally that you
expose via IIS. You can use SMB to access the UNC file share
internally to do what you want.

For certain, whatever you enabled is NOT the right thing and should be
reverted.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -

- Show quoted text -

.