General discussion

Locked

IIS 5.0 permissions

By agibbs ·
Hey all. I'm trying to restrict access to a folder within a website so only one user has access. Here's the problem:

Let's say the website I've created in IIS points to d:\webs\mydomain.com\wwwroot. Permissions on this folder are

SYSTEM and ADMINISTRATORS: Full Control
IUSER_MACHINE: Read/Execute

The folder I want to secure is d:\webs\mydomain.com\wwwroot\intranet. Permissions here same as above, plus:

TESTUSER: Full Control

So, I turn off Anonymous access and enable Basic Authentication ONLY for the /intranet folder within IIS. Now, if I try to access http://mydomain.com/intranet, I am prompted for a username and password (duh). But, I log in as TESTUSER and it prompts me again! Like TESTUSER doesn't have access.

Now, I grant TESTUSER READ/EXECUTE access to the root (d:\webs\mydomain.com\wwwroot) and now I can log in to http://mydomain.com/intranet with full control. Is there some issue with IIS where a user must have at least READ access to the root webbefore they can be granted any access to a subfolder?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

IIS 5.0 permissions

by k.o.z. In reply to IIS 5.0 permissions

As far as I know there is no work around for this. I had the same problem setting up our IIS 5.0 web server. I created groups for developers and admins of the web and had to give everyone read permission to the root folder. Then gave specific permissions on the individual folders throughout the web.

I seems to look at the parent folder first for permissions in W2K which is causing your problem. I guess it makes sense if someone can't access the parent folder, why should they be able to access anything within that folder - that's just good security.

Collapse -

IIS 5.0 permissions

by agibbs In reply to IIS 5.0 permissions

Not exactly the answer I wanted but it does make me feel better :-)

Glad I'm not the only one with this prob

BTW, I found out how to resolve this -- just give the NETWORK or EVERYONE group LIST access (i.e. list files in directory) to the rootfolder it works OK.

Collapse -

IIS 5.0 permissions

by agibbs In reply to IIS 5.0 permissions

I thought that with BYPASS TRAVERSE CHECKING enabled for EVERYONE I would be able to grant a user access to a subfolder, even when they are not granted access to the parent folder. Is this not true with IIS?

Collapse -

IIS 5.0 permissions

by Beeba In reply to IIS 5.0 permissions

i think there is, however, a workaround... virtual directories.

we have a situation somewhat like this-- we want to give members of a group access to their own directory, but NOT to be able to see others one level up. so i created a virtual directory for each member, and set permissions accordingly. if they go one level "up", they see nothing, not even the names of the other entities (this was important to us/them). It's a little complicated to explain, I now realize, but if you play around with virtuals you may find your solution.

Collapse -

IIS 5.0 permissions

by agibbs In reply to IIS 5.0 permissions

Virtuals would be too big of a pain. We're hosting several hundred sites here

Collapse -

IIS 5.0 permissions

by agibbs In reply to IIS 5.0 permissions

This question was closed by the author

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums