I have a file named "deny.asp" inside a subdirectory ("authtest") that has Windows Authentication turned on and anonymous access disabled. I set the NTFS permission on this file to explicity Deny everything. I can confirm the deny permissions are working because I cannot open the ASP file anymore in Notepad++.
However, if I type in the URL (http://example.com/authtest/deny.asp), it comes right up in my browser! When I output the value of request.serverVariables("LOGON_USER"), it prints my domain and username to the screen, so the server knows it is me, but the NTFS permissions don't seem to take any effect!
- Windows Server 2008 R2
- IIS 7.5