Hi, i want to give Anonymous ASP User READ only access to a particular folder. In Permissions Manager, Anonymous ASP User is not showing up. In IIS Manager (Authorization Rules), however, there are no options for setting READ or WRITE. So how do I set this using Permissions Manager? Reason for asking is that I want users to to be able to upload to this particular directory via web. But I do not want them to access the file they have uploaded. My problem is if I set a rule using IIS Manager, they wouldn't be able to write and upload to that folder either. Anything in mind? Thanks
Hi, Make the changes right to your web.config like this: http://serverfault.com/questions/72680/iis7-how-to-block-access-with-a-web-config-file
Hi WiseMx, Thanks for the link. I tried using the system.web approach but didnt work <location path="uploads"> <system.web> <authorization> <allow users="myself"/> <deny users="*"></deny> </authorization> </system.web> </location> I could still read the file if im anonymous. I tried the system.webserver approach, and it worked. But i don't think it uses Forms Authentication (SqlMembershipProvider) but Windows Authentication so it denies everyone even myself <location path="uploads"> <system.webServer> <security> <authorization> <add accessType="Allow" users="myself" /> <remove users="*" roles="" verbs="" /> </authorization> </security> </system.webServer> </location> Any thoughts? Thanks
Hi, There are two folders you can use which by default allow uploads, your files can write there, but users can't download files. DASP provides one of them -> _database The other is protected by ASP.NET -> App_Data Have you thought about using those folders? All the best, Mark
Hi Mark, I tried using the _database and App_Data folders. I can write into those folders and cannot read the files in them. Perfect! almost... Still Report Viewer cannot read them. I added myself on the .NET authorization rules but still no luck. Is there anyway I can read the files from within my application only? Thanks
Hi, This makes sense with ReportViewer, it's not treated the way your app is. I'll look into this today and reply again if I find any solution for you. All the best, Mark
I think i figured it out! Using IIS 7 Url Rewrite, I created a rule denying requests from IP addresses that don't match my server's IP address. Just put a web.config file into the folder you want to secure and put the entry below. <system.webServer> <rewrite> <rules> <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" /> <conditions> <add input="{REMOTE_ADDR}" pattern="77.11.36.12" negate="true" /> </conditions> <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." /> </rule> </rules> </rewrite> </system.webServer> Works like a charm. Thanks for helping out.