PRB: 401 Error message if user is not included in the Bypass Traversal Checking policy

View products that this article applies to.

This article was previously published under Q324333

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)

For more information about IIS 7.0, visit the following Microsoft Web site:

http://www.iis.net/default.aspx?tabid=1 (http://www.iis.net/default.aspx?tabid=1)

SYMPTOMS

When you connect to any page on an Internet Information Services (IIS) Web site, you may receive the following error message:

401.3 Unauthorized due to ACL on resource

Back to the top

CAUSE

This can occur if the account that is trying to access resources on the server does not have enough NTFS file system permissions on the resource.

Back to the top

RESOLUTION

Do not remove the Everyone group from the Bypass Traverse Checking policy. If the Everyone group must be removed from the policy for security reasons, make sure that the IUSR account is listed in the policy.

Back to the top

STATUS

This behavior is by design.

Back to the top

MORE INFORMATION

Steps to reproduce the behavior

Tighten the NTFS permissions on the resource. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
271071 (http://support.microsoft.com/kb/271071/ ) Minimum NTFS permissions required for IIS 5.0 to work
Remove Everyone from the local Bypass Traverse Checking security policy.
Try to access a simple HTML page on IIS. You receive the 401.3 error message.

Back to the top