You have configured http://mySharePointSite for anonymous access at the site level (lists and libraries) and you wanted to prevent a specific group from accessing the SharePoint site, so you add the group at the web application level and assign the “Deny All” permission.
Steps to reproduce:
1. Configure a web application.
2. Activate NTLM + Anonymous on default zone.
3. Create a new site collection.
4. Access the site collection.
5. Access "Site Settings/Site permissions" and activate anonymous access for the entire web site.
6. Access the "Shared Documents" list and break the permission inheritance.
7. Access the "Shared Documents" list, access the library permissions settings, click on Anonymous access and enable "View Items".
8. Access the Central Administration web site.
9. Access the web application and add a user policy to this web application (on all zones or default zone). Configure a "Deny All" access for an Active Directory group.
10. Check the "Anonymous access" on the “Shared Documents" list.
The "View Items" permission is disabled and anonymous users will be prompted for credentials when attempting to browse the “Shared Documents" list.
1. Assign the “Deny Write” policy for web application to the group instead of “Deny All”.
2. Extend your web application to a second zone. Use one zone as authenticated and assign the “Deny All” web application policy to only that zone. Use the second zone as the anonymous zone and configure anonymous access for that zone.
Article ID: 2685979 - Last Review: Mar 14, 2012 - Revision: 1