In Microsoft Visual Studio Team System Web Access (TSWA) 2008, when you type a URL in a browser window, you can access documents in the network location even if you do not provide logon credentials or if access is denied. For example, you type the following URL in a browser window:
https://<Team Foundation Web Access>/UI/Pages/WorkItems/DownloadAttachment.aspx?basename=Release.txt&url=\\<internal_machine_name>\Software\Applications\OS\Windows2003\AUTORUN.INF
If you click Cancel when you are prompted to log on, the document still appears.
Note The network locations can be accessed from the Microsoft Visual Studio Team Foundation Server (TFS) server by using the TFS service account.
This problem occurs because DownloadAttachment.aspx runs under the context of the process account and not under the context of the logged-on user.
To resolve this problem, obtain the Visual Studio Team System Web Access 2008 Service Pack 1 (SP1) Power Tool. After you install the Power Tool, a blank page appears instead of the document when you use the URL to open the document in TSWA 2008.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
To work around this problem, restrict access to the network locations for the TSWA Application Pool Identity.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.