When configuring "FTP IPv4 Address and Domain Restrictions", I can set the "Access for unspecified clients" to "Deny" under the "Edit Feature Settings" option. Even with this option configured, unspecified IP addresses are still able to get to the point where the server responds that it is a valid username or not.
As a matter of fact, if you are using "Virtual Host Names", the server will let you know if the username/password combination you tried is good or bad.
For example:
1) If you enter a username like "BobSmith" for an FTP site of
ftp.iis.net, then it will return the error "530 Valid hostname is expected"
2) If you enter a valid username like ftp.iis.net|BobSmith, you are prompted for the password
3) If the password you enter is invalid, the server returns "530 User cannot log in"
4) If the password you enter IS VALID, the server returns "530 User cannot log in, home directory inaccessible"
As you can see, this is bad. BAD. Despite having IP restrictions on, someone can still tell if the password they are attemptingis correct. Can someone else confirm this to be the case, because surely this isn't how Microsoft intended this to work. After all, it wasn't this broken in previous IIS versions.