FP: Form Results Not Secure in _Private Folder on IIS Server

By default, FrontPage stores results of the Save Results Form Handler in the _private folder. If you are using Microsoft Internet Information Server (IIS), the contents of this folder are available for anyone to view. In other words, anyone can access the results in this folder by opening a page from this folder in a Web browser.

When FrontPage creates the _private folder, it limits browse access to FrontPage authors and administrators only. It grants write access to the files in this folder so that the FrontPage Server Extensions can create and update the results file. However, IIS servers are unable to grant write access to a file without also granting read access.

To resolve this behavior, follow these steps:

1. Open your Web in FrontPage Explorer.
2. Right-click the _private folder and click Properties on the menu that appears.
3. In the _private Properties dialog box, click to clear each check box.
4. Click OK.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This behavior is specific to IIS servers only. This behavior does not occur on the UNIX platform or with other Web servers running on Windows NT. When you remove browse access on a folder, the server no longer allows access to the folder via HTTP. It does not alter the NTFS permissions of the folder.

The FrontPage Server Extensions still have full access to the folder and the files in it. And, you will still be able to view and edit files in the _private folder using FrontPage.