Anonymous User Appears to Have Access Even When File Permissions Are Denied on Intranet (267850)
The information in this article applies to:
- Microsoft Internet Information Services 5.0
This article was previously published under Q267850 SYMPTOMS
On an intranet, an Anonymous User account can view the restricted file, even if you have explicitly set the file permissions for a file to deny access to the Anonymous User account (by default, the name of this account is IUSR_ComputerName).
NOTE: This problem also occurs when you use folder permissions instead of file permissions to deny access.
CAUSE
Web site visitors are not actually viewing the restricted file by using the Anonymous User account. Instead, their network user name is being used to authenticate them, and consequently, allow them access to the file because the Integrated Windows Authentication method is also in effect.
When Anonymous Access fails, IIS then tries to authenticate the visitor by using the other authentication methods that are in effect.
NOTE: By default, when you create a new Web site, both Anonymous Access and Integrated Windows Authentication are enabled.
RESOLUTION
Do not use file permissions to restrict access for the Anonymous User. Instead, use the Internet Service Manager (ISM) to disable access for the Anonymous User.
If for some reason you still need to use file permissions to restrict access for the Anonymous User, make sure to disable other authentication methods, such as Integrated Windows Authentication.
| Modification Type: | Major | Last Reviewed: | 6/29/2004 |
|---|
| Keywords: | kbpending kbprb KB267850 |
|---|
|