IIS 7 and Above
How to Prevent Anonymous Access but allow a Classis ASP Session to Di...
Last post Jan 11, 2019 02:21 AM by smetzger
Jan 10, 2019 07:51 PM|pmosca|LINK
Using IIS on Windows 2012:
I have a classic ASP site. All the pages within the site are .asp files, but I have a few that are HTML in a Virtual Directory and do not have any ASP code in them to prevent access to them. Anyone can access these HTML files without logging into the site.
Is there a way to use IIS Security to prevent access to these HTML files but still allow the users that are logged into the ASP session to access them? I have tried removing Authorized Users from the permissions, I have tried using the URL Authentication to
DENY ANONYMOUS . I have tried putting Application Pool permissions access only on the directory. No luck. Please help!
Jan 11, 2019 02:21 AM|smetzger|LINK
Not sure about your version of IIS but with 7.5 and ASP.net 4.5 this works...
<allow roles="User" />
<deny users="*" />
The above will allow anyone with the User role access to the htmlfiles directory. But if you don't have this role then you can't get to the directory. So, give all of your logged in Users as role like 'User'.