This step-by-step article describes how to configure Web
permissions for Web content in Internet Information Services (IIS) 6.0.
You can set Web permissions for specific Web sites, folders, and
files on your server. Unlike the NTFS file system permissions that apply only
to either a specific user or a group of users who have a valid Windows account,
Web permissions apply to all users who access your Web site regardless of their
specific access rights. NTFS permissions control access to physical directories
on your server, whereas Web permissions control access to virtual directories
on your Web site.
For example, you can use Web permissions to control
whether visitors to your Web site can view a particular Web page, upload
information, or run scripts. When you configure both Web permissions and NTFS
permissions, you can control how users access your Web content on several
levels, from the whole Web site to individual files.
Configure Web Server Permissions for Web Content
To configure Web server permissions for Web content, follow these
Click Start, point to All
Programs, point to Administrative Tools, and then
click Internet Information Services (IIS) Manager.
ServerName is the name of the server, and then expand Web
Right-click either the Web site, the virtual directory, the
folder, or the file that you want to set permissions for, and then click
Click one of the following tabs, as appropriate to your
Either click to select or click to clear any of the
following check boxes (if present) that are appropriate for the level of Web
permissions that you want to set:
Script source access: Grant this
permission to permit users to access source code. Source code includes scripts,
such as scripts in Active Sever Pages (ASP) programs. This permission is only
available if either the Read permission or the Write permission is
Note When you use this option, users may be able to view sensitive
information, such as a user name and a password, from scripts in an ASP
program. They may also be able to change source code that runs on your server.
This can seriously affect the security and the performance of your server. You
may want to control access to this type of information and to these functions
by using individual Windows accounts and higher-level authentication, such as
integrated Windows authentication.
Read: Grant this permission to permit
users to either view or download files or folders and their associated
properties. By default, Read permission is selected.
Write: Grant this permission to permit
users either to upload files and their associated properties to the enabled
folder on your server or to change the content or properties of a write-enabled
Directory browsing: Grant this
permission to permit users to view a hypertext listing of the files and the
subfolders in the virtual directory. The folder listings do not contain the
virtual directories. Users must know the alias of the virtual
Note A user may receive an "Access Forbidden" error message if the
user tries to access either a file or folder on your server and both of the
following conditions are true:
Directory browsing is
The user does not specify a file name such as
Filename.htm in the Address
Log visits: Grant this permission to
log visits to this folder in a log file. A log entry is recorded only if you
enable logging for the Web site.
Index this resource: Grant this
permission to permit Microsoft Indexing Service to include this folder in a
full-text index of the Web site. When you grant this permission, users can
query this resource.
In the Execute Permissions box, click the
option that you want to determine how scripts run on the site. The following
options are available:
None: Click this setting if you do not
want users to run scripts or executable programs on the server. When you use
this setting, users can access only the static files such as Hypertext Markup
Language (HTML) and image files.
Scripts only: Click this setting to
run scripts such as ASP programs on the server.
Scripts and Executables: Click this
setting to run both scripts such as ASP programs and executable programs on the
Click OK, and then quit the IIS snap-in.
When you try to change the security properties of a Web
site or virtual directory, IIS checks the existing settings on the child nodes
(virtual directories and files) that the Web site or virtual directory contain.
If the permissions that are set at the lower levels are different, an
Inheritance Overrides dialog box appears. To specify the child
nodes that inherit the permissions that you set at the higher level, click the
node or nodes in the Child Nodes list, and then click
OK. The child node inherits the new permissions
If Web permissions and NTFS permissions differ for either a
folder or a file, the more restrictive of the two settings is used. For
example, if you grant Write permissions to a folder in IIS, and grant Read
permissions to a particular user group in NTFS, those users cannot write files
to the folder because Read permissions are more restrictive.
Disabling permissions restricts access to all the users.
For example, if you disable Web permissions (for example, Read permissions) on
a resource, none of the users can view that resource, regardless of the NTFS
permissions that the users' accounts have. If you enable Web permissions (for
example, Read permissions) on a resource, all the users can view that resource
unless you also apply NTFS permissions that restrict access to it.
When both Web permissions and NTFS permissions are set, the
permissions that explicitly deny access take precedence over permissions that
For more information about how to configure Web server and
NTFS permissions for Web content, see the "Access Control" topic in the
"Security" section of the Server Administrator Guide in the IIS 6.0 Online
Documentation. To view the IIS 6.0 Online Documentation, visit the following
Microsoft Web site: