Either put the files completely outside the web-site so that they are not
accessible via HTTP at all or put them in a web-site directory that does not
allow read access in IIS.
For an example of the second approach try these URLS:
http://www.ielearning.com/wbtroot/html/logo.gif
http://www.ielearning.com/wbtroot/asp/logo.gif
--
--Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"WC Justice" <> wrote in message
news:HVEyd.14148$...
>I have a SQL Server-driven website with public and secure areas. Anonymous
>connection is via IUSR and authentication for the secure area is done via
>asp. Several pages first authenticate with asp and then use the fso to
>provide access to certain files for downloading or viewing via hyperlink.
>Up to this point, I am satisfied that I am able to control access to
>certain files and folder.
>
> The problem arises that, if an internet user guesses the path and
> filename, he can download a file through the browser. The actual files
> are outside of the website tree, and are accessed via virtual directories.
> I have tried to fix this by limiting access to the base folder to internal
> users only and creating a user "IFSO" that has external access.
>
> Where I am at this point is that I get a "File Not Found" error when the
> fso.getfolder method tries to execute. Can I pass userid and password
> arguments in the getfolder method? If not, do you have any ideas as to
> how to give the website access to these folders without giving the public
> unrestricted access to them?
>
> Thank you
>
Similar Threads
