Security

Virtual Directory Security

In order to publish from any directory not contained within your home directory, create a virtual directory. A virtual directory is a directory that is not contained in the home directory, but which appears to client browsers as though it were. Virtual directories have a small number of options for controlling access and content control:

Read
Write
Log Access
Directory Browsing
Index This Directory
Microsoft® FrontPage® Web (Web site only)

The default settings are Read, Log Access, Index This Directory, and FrontPage Web (for a Web site only).

Note Write access can be performed only with a browser that supports the PUT feature of the HTTP 1.1 protocol standard.

IIS also supports application settings that determine how executable content such as ASP pages operate. The three options are:

None: Doesn’t allow any programs or scripts to run in this directory.
Script: Enables applications mapped to a script engine to run in this directory, without having the Execute permission set. Use Script permission for directories that contain scripts in ASP pages, Internet Database Connector (IDC) scripts, or other scripts. Script permission is safer than Execute permission because you can limit the applications that can be run in the directory.
Execute: Allows any application to run in this directory, including applications mapped to script engines and Windows binaries (.dll and .exe files). It is suggested that you use this option with care.

If a virtual directory is on an NTFS drive, the settings for the directory must match these application settings. If they don’t, the most restrictive settings take effect. For example, if you give a directory Write permission but only give a particular user group Read access permissions in NTFS, the user group will not be able to write files to the directory because the Read permission is more restrictive.

See the following: