Internet Information Server permits anonymous access in the WWW, FTP, and Gopher services by default. There are no differences between an anonymous intranet site and an anonymous Internet site.
But even when you use anonymous access, all activity on a system running Internet Information Server determines permissions by user name. Associating a user name with every action is fundamental to Windows NT security.
During installation, Internet Information Server creates IUSR_computername, a standard user account, as the user name for all anonymous access. A random password is generated for IUSR_computername. The account is added to the local directory services database on stand-alone systems or to the domain directory services database on primary or backup domain controllers. You modify this account by using User Manager.
Internet Explorer and most other Web browsers do not provide a user name and password when connecting to a Web server, so Internet Information Server uses the IUSR_computername account, as shown in Figure 3.1.
Figure 3.1 Anonymous access process
Anonymous access is enabled by default. You set anonymous access by using the Service property sheet for each service. The account information for the IUSR_computername or other account specified in the Service property sheet must also agree with the settings in User Manager for the same account, as shown in Figure 3.2. Users are denied access if the user name and password do not match.
Figure 3.2 Matching user names and passwords in Internet Service Manager and User Manager
To provide only anonymous access—which is preferable for most installations—you clear the Basic (clear text) and Windows NT Challenge/Response boxes. If you provide anonymous access only, no one can use a Windows NT account maliciously. For example, anonymous-only settings prevent anyone from gaining access by using the Administrator account or any other account with sufficient permissions to alter your computer.