I have a single FTP site running on IIS 6. The server is isolated on DMZ segment apart from the LAN and is accessible via FTP from both LAN and the Internet.
The site is setup to require user authentication. The user names and their directories under d:\ftproot\LocalUser are named the same. This creates an automatic association between the user’s name and their private directory and isolates users from each others’ directories. I set this site up using the site setup wizard. I tried “Isolate Users” option, but could not get the site to function properly. Eventually I set it up using the “Do not isolate users” option, which with the above configuration nevertheless isolated users.

Currently under properties for the site, on the Home Directory tab, permissions are set to allow Read, Write, & Log visits. What I would like to do is to remove write permissions for all users’ directories so that the contents of their directories are read only, with the exception of a single subdirectory called “Uploads” which would have read and write permissions.

If I remove the write permission from the IIS Home Directory tab for the whole site and then create the Upload subdirectory in a user’s directory, regardless of how I set the subdirectory’s permissions, it remains read only. IIS permissions seem to override Windows permissions.

If I approach this by leaving the write permission in place on the IIS Home Directory tab and then removing it from the user’s directory, with plans of adding it back to the Uploads subdirectory, a strange thing happens. When the user logs on, they are placed in the root directory - d:\ftproot\LocalUser and have access to all users directories.

Any idea how to setup an FTP site that has isolated users with the users private directories set to read only, but containing a subdirectory that has both read and write permissions? If not, any other ideas how to achieve this or similar results? Another workable scenario would be the each user to have two sites. One that is read only and one they can use to upload files, but since the Read/Write permissions are set on the IIS Home Directory tab for the whole site this doesn’t work. I would just creates another site, but I’m out of IP addresses and for various reasons can’t get more.

Thanks,
Lee

On Thu, 1 Jul 2004 16:27:01 -0700, Lee <Lee@discussions.microsoft.com>
[quoted text, click to view]

Lee,

What do you mean when you say you "could not get the site to function
properly" when you tried User Isolation mode ?

Did you follow the steps outlined here ?

http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_21.mspx

I have set up a User Isolated site with these instructions and it
worked perfectly. If you chose the Do Not Isolate users option you
have effectively got an IIS5 type of FTP setup in which you have to
enforce isolation using a combination of virtual directories outside
the actual FTP root and NTFS permisssions - not ideal but I have
successfully used that method to 'isolate' literally hundreds of users
on one IIS5 FTP server.

I would suggest going back and starting again and using the Isolate
Users option - it does work, I promise :-)

To answer your other question, when there is a conflict of interest
with permissions the most restrictive always wins. So even if you
grant the NTFS write permission the Read Only option selected in IIS
will override it.


Regards,

Paul Lynch