"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:#xX4B2bzDHA.1668@TK2MSFTNGP10.phx.gbl...
> 1) If you are browsing from remotely via network anonymously, iusr a/c
will
> be a member for this group. refer -
> -Network
> Represents users currently accessing a given resource over the network (as
> opposed to users who access a resource by logging on locally at the
computer
> where the resource is located). Whenever a user accesses a given resource
> over the network, the user is automatically added to the Network group.
>
> -Interactive
> Represents all users currently logged on to a particular computer and
> accessing a given resource located on that computer (as opposed to users
who
> access the resource over the network). Whenever a user accesses a given
> resource on the computer to which they are currently logged on, the user
is
> automatically added to the Interactive group.
>
> 2) any user access via network will be a member of this special group. and
> yes this a risk. the basic rule of NTFS is only assign to those user that
> required such permissions. ONLY assign to required users.
>
> 3) refer #1
>
> 4) refer #2, for web resource directory with purely read access, remove
this
> as well. if you had different sites with different user upload, then you
> might want to include this to allow users to control their own
> files/folders.
>
> 5) In IIS5.0 isolation mode, iwam is the process identity of out of
process
> application. e.g. running the dllhost.exe. Network service function the
same
> which run the w3wp.exe worker processing in the IIS 6.0 WP mode. these are
> process identity, you still need iusr a/c for anonymous access.
>
> --
> Regards,
> Bernard Cheah
>
http://support.microsoft.com/ > Please respond to newsgroups only ...
>
>
>
> "Tarntanate M." <toms@access.inet.co.th> ????
> news:OneGcNPzDHA.2240@TK2MSFTNGP10.phx.gbl...
> > I have some question about NTFS permission, I'm using W2k3 Standard
> Edition
> > and PHP 4.3.4
> >
> > 1. If I do not add "IUSR_XXXX" user into NTFS permission, but I have
> > "NETWORK" group which have "Read" permission instead, I can access to my
> > website. So, is "IUSR_XXX" account is a member of "NETWORK" group?
> >
> > 2. If I add "NETWORK" group which have "Read" permission into NTFS
> > permission rather than exactly "IUSR_XXXX" account, are there any
security
> > risk?
> >
> > 3. Do I need to add "INTERACTIVE" group which have only "Read"
permission?
> > Is this group necessary?
> >
> > 4. Do I need to have "CREATOR OWNER" and "CREATOR GROUP" which have
"Full
> > Control" permission? Because when I create a new folder for adding new
web
> > site, that folder is automatically have these group on the NTFS
> permission.
> >
> > 5. If my web site contains asp or aspx files, do I need to add "NETWORK
> > SERVICE" or "IWAM_XXXX" user into NTFS permission? If not, when or in
what
> > situation I need to add those users into NTFS permission?
> >
> > Any ideas or suggestions are welcome.
> > Thank you very much.
> >
> >
>
>
