It is important to understand the distinction between Web server permissions and NTFS permissions. Unlike NTFS, Web server permissions apply to all users accessing your Web and FTP sites. NTFS permissions apply only to a specific user or group of users with a valid Windows account. NTFS controls access to physical directories on your server, whereas Web and FTP permissions control access to virtual directories on your Web or FTP site. For more information, see Web and FTP Sites.
By default, Web and FTP access permissions use the Windows account IUSR_computername. When users access your site, using anonymous authentication, they use this account. By default, IUSR_computername is given NTFS permissions by IIS for the actual folders that comprise the Web or FTP site. You can, however, change these permissions for any folder or file in your site. For example, you can use Web server permissions to control whether users visiting your Web site are allowed to view a particular page, upload information, or run scripts on the site. For more information, see About Access Control.
Important
- If Web permissions and NTFS permissions differ for a directory or file, the more restrictive settings are used.
- Your Web server will prompt you for permission to reset the properties of individual directories and files when you attempt to set security properties for your Web site or a virtual directory. If you choose to reset these properties, your previous security settings will be replaced by the new settings. For more information about setting properties, see the Properties and Inheritance of Properties on Sites section in About Web and FTP Sites.
- Distributed Authoring and Versioning (WebDAV) is an extension to the HTTP 1.1 standard for exposing any storage media, such as a file system, over an HTTP connection. With the IIS 5.0 implementation of WebDAV, you can allow remote authors to create, move, search, or delete files and directories on your server. Because WebDAV is an implementation of the HTTP 1.1 proposed draft, it is not available for non-HTTP services, such as FTP sites. For more information, see WebDAV Publishing.
To set Web server permissions for Web content (including WebDAV)
- In the Internet Information Services snap-in, select a Web site, virtual directory, or file, and open its property sheets.
- On the Home Directory, Virtual Directory, or File property sheet, select or clear any of the following check boxes (if available):
- Read (selected by default) Users can view directory or file content and properties.
- Write Users can change directory or file content and properties.
- Script Source Access Users can access source files. If Read is selected, then source can be read, if Write is selected, then source can be written to. Script Source Access includes the source code for scripts, such as the scripts in an ASP application. This option is not available if neither Read nor Write is selected.
- Directory browsing Users can view file lists and collections.
- Log visits A log entry is created for each visit to the Web site.
- Index this resource Allows Indexing Service to index this resource. This allows searches to be performed on the resource.
- Under Execute Permissions select the appropriate level of script execution:
- None Don't run scripts, such as ASP applications, or executables on the server.
- Scripts only Run only scripts, such as ASP applications, on the server.
- Scripts and Executables Run both scripts, such as ASP applications, and executables on the server.
- Click OK.
Notes
- Disabling Web server permissions, such as Read, restricts all users from viewing a file, regardless of the NTFS permissions applied to those users' accounts. However, enabling a permission can allow all users to view that file, unless NTFS permissions that restrict access have also been applied.
- If both Web server and NTFS permission are set, the permissions that explicitly deny access take precedence over permissions that grant access.
Caution When you select Script Source Access, users may be able to view sensitive information, such as a user name and password, from the scripts in an ASP application. They may also change source code that runs on your server, and seriously affect your server's security and performance. Access to these types of information and functions are best utilized through individual Windows accounts and higher-level authentication, such as Digest or integrated Windows authentication.
To set Web server permissions for FTP content
- In the Internet Information Services snap-in, select a Web site, virtual directory, or file, and open its property sheets.
- On the Home Directory,Virtual Directory, or File property sheet, select or clear any of the following check box options:
- Read Users can view file contents.
- Write Users can change file contents.
- Log visits Users can view log file contents.
For more information about these property sheets, click Help on the appropriate property sheet.
© 1997-1999 Microsoft Corporation. All rights reserved.