Web Permissions Behave Unexpectedly with Script Engines (321506)
The information in this article applies to:
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Server 5.0
- Microsoft Internet Information Services version 5.1
- Microsoft Internet Information Services version 6.0
This article was previously published under Q321506 We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: SYMPTOMS
When Web pages such as Active Server Pages (ASP) pages are processed through an extension that uses the Application Mapping setting in IIS for a specific ASP application, unexpected behavior may occur when you try to change the Read permission in the IIS Manager.
CAUSE
Pages that are processed by an extension, such as ASP or SHTML pages, are processed by the server and sent to the client even if Read permission has been removed from the IIS properties of either the Web site or of the page itself. This occurs because the code of the page is processed by the extension engine and the results (instead of the original code) are sent to the client for reading.
WORKAROUND
To effectively limit a user's permission on any file on a Web server, Microsoft recommends that administrators use the NTFS File System permissions for files and folders.
Modification Type: | Minor | Last Reviewed: | 6/23/2005 |
---|
Keywords: | kbpending kbprb KB321506 |
---|
|