Hi all,

I'm having a problem with what is most likely a rudimentary task. I
want to lock down access to a folder on the webserver so that only a
particular security group has access to it. However, I have created a
user that isn't a member of any groups (I've removed him from Users as
well) and he can still be authenticated and get access to the folder.

I'm using IIS6 on a Windows 2003 Server. I've turned off anonymous
access for this folder and am using Integrated Windows Authentication.
I've turned off inherited permissions for the folder edited the ACL so
that only the following members remain:

Administrators
CREATOR_OWNER
INTERACTIVE
Internet Guest Account
NETWORK
NETWORK SERVICE
SN Admin (the group I created)
SYSTEM

I get the authentication popup as expected when accessing the folder,
but this user is still getting through. I'm writing out the
authenticated user on the web page and it's definitely the same user.

My apologies if this is a bit of a newbie question. Any help would be
much appreciated.

Many thanks,

Paul

Also, if I get the "Effective Permissions" for this user in the
advanced dialog, nothing is enabled, as expected, but they're still
able to access the folder through the website.

And, I can get this working only by removing the NETWORK entry from the
ACL. Does anyone know why this would make it work?

Errr. well, I think you need network. coz it's coming from network.
now, restart IIS service and see if the user able to access again, if yes,
then somewhere, somehow the user has inherited access rights on the folder.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/


[quoted text, click to view]