I´m testing a web site hosted on a Win2003 machine with diverse content (as
p,
htm, pdf, etc) and i´m confused about certain concepts on authenticationa a
nd
authorization access.

i have a folder with ZIPs and ASP pages and ONLY Anonymous access enabled.
i have made several tests, changing NTFS permissions (IIS permissions is
always as Read) and the results were strange.

IUSR_ and Users group have Logon Locally Right and Let Everyone Permissions
Apply to Anonymous is on default (Disabled)

If IUSR_MAchine is anonymous user, access have to be denied when ONLY
Everyone or Users is permitted on ACLs. Is it right?

The tests i´ve made with RX permissions on NTFS Folder´s ACL

 ========================================
=====
ACL on folder         ACTION
RESULT
 ========================================
=====
Everyone               Get zip file and process ASP page             OK and 
OK
Auth Users            Get zip file and process ASP page             OK and O
K
IUSR_Machine       Get zip file and process ASP page             OK and OK
Users                   Get zip file and process ASP page             OK and
OK
ASPNET               Get zip file and process ASP page             401.3 and
401.5
SYSTEM only        Get zip file and process ASP page             401.3 and
401.5
 ========================================
=====

If IUSR_Machine user is a nonymous user, why NTFS´s ACLs with Auth USers or
Everyone we have normal access? If IUSR_Machine user is accessing the web
page, why it can access even without proper NTFS permissions?

[ Post a follow-up to this message ]