I am having a strange issue when using 8.3 notation (a ~ character in the
name) for file names and hosting them with IIS 5.0. I get prompted for
credentials when I select the file. I can rename the file to remove the ~
and it will allow me to download the file using the Anonymous account. Put
the ~ back and I will get prompted for credentials. I have tripple checked
the NTFS permissions and they are correct. I can put a new file in the
folder and it will host as long as there is not a ~ in the file name. I
have URLScan installed and have also checked the configuration of the
URLScan.ini. I have also copied the URLScan.ini from a machine that is
working corectly. I recently ran Windowsupdate on these machines. Is there
a new security update that exhibits this behavior?

Hello,

IIS will not serve files by their short name. It would be a security issue
if it did. The problem is that we have to match the metadata for the URL
with the physical file. Since the metadata is stored using the long file
name, we could potentially find incorrect metadata and serve the file
incorrectly.

To prevent this, IIS specifically does a check on any URL's that "look" like
8.3 representations of file names to see if that is their real name or a
short name. If it's a short name, IIS will not serve the file.

I can't explain why you are getting a 401 response instead of a 404
response, though. I've seen some cases where IIS fails to get access to the
file when checking for to see if the filename is an 8.3 name or not, and
this is probably what's happening on your server. Even if you work around
that, though, the best you'll be able to get is a 404 for these files,
unless you access them via their full name.

Thank you,
-Wade A. Hilmo,
-Microsoft

[quoted text, click to view]