When setting-up a secure area of a website that is using NTFS file level
security and AD user & group accounts to set the access permissions, is there
a timeout period for users once they enter the secure area of the site? And
would this work differently with either HTML pages or ASP pages? Would only
ASP pages use the default session timeout variable and not HTML pages? And,
if so, where/how could this timeout period be adjusted for static HTML pages

How exactly are the clients authenticating to the web server?

If they are using HTTP based authentication, then there isn't really a
timeout period. Certainly a Kerberos ticket (for example) can expire, but
what will happen is that the browser typically re-authenticates the user
transparently. Unless the server says that the user's password is now
invalid, the user will not be prompted to re-authenticate.

However, if you are using IE 6 SP1or later, you can use this piece of
client-side javascript to "log off" the user. You could do this after some
specified timeout period:
http://www.adopenstatic.com/cs/blogs/ken/archive/2005/04/12/14.aspx

Alternatively, if you are using some kind of forms based authentication,
then it's easy to develop some mechanism for timing out the user based on
some time stamp stored in your user's credential cookie.

Cheers
Ken

[quoted text, click to view]