I've ran into a conundrum tryign to confiugre permissions for shared hosting on a web server running IIS. All of the sites serve content from a file share. Each site runs with the application pool user and each application pool user is a simple domain user. The domain users group is part of the local users group on the web server. This is so the application pools (running under a domain user) have access to .NET, PHP, classic ASP, etc. However, local users have read/list access to the root of C:\. This gives a user the ability to read and list all content on the C:\ drive.
I realize I can change permissions a number of ways to avoid this. But to change permissions I need to take ownership of a lot of folders since they are locked down. For example (even with LUA disabled via registry key) I cannot change permissions on C:\Program Files (x86)\. Even as the local Administrator user.
Even on a normal web server without using a share and using the application pool identity I can read and list the root of C:\.
You can test this by using your favorite programming language to list the contents of a directory.
Can this be safely locked down so this isn't possible?