how do you disable FileSystemObject via folders and WScript.Shell completely?

Hi All,
I need to be able to disable the FileSystemObject in IIS, but only for certain websites running on IIS 6 W2K3 Server.  Is this possible? If so, how?
I have the sites in a folder called "d:\websites" as in: "d:\websites\site1" , "d:\websites\site2", and so forth

I can't disable "scripts" in IIS because these are Active Server Pages and obviously can't run with scripts disabled.

I saw some other answers on this topic concerning a separate user account, but I need more details on actually how to go about this (e.g. which ones have to be turned off in order for this to be disbled on a folder by folder basis?).

Also, I would like to completely disable "WScript.Shell".  If this is disabled completely, are there dependent processes that could be affected?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To disable on entire server you need to unregister a couple of dlls.
See AndresM's suggestion here: http:Q_20563953.html for disabling FSO.
See for disabling on in-process sites.

To restrict only to certain sites, leave them registered but look at changing the ntfs permissions on these dlls so that only specific users are able to trigger them.
simplyamazingAuthor Commented:
"To restrict only to certain sites, leave them registered but look at changing the ntfs permissions on these dlls so that only specific users are able to trigger them."

Since IIS uses only one account (IUSR_machinename), do you mean that I add another IUSR account?  Since every website uses the same account, I don't see how this can be done.

IWAM actually, IUSR is your anonymous user.
I'm trying to find a way for you that doesn't involve editing the metabase (suggestions from other ppl are most welcome). Will get back to you.
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

If you take a look at this one you need to have a different IUSR account for each site:
There was also a little more info at the first link I posted (see accepted answer:  http:Q_20563953.html)

Basically you would do the following:
-create multiple unique IUSR accounts (eg IUSR1, IUSR2, IUSR3)
-Assign rights to each account on the dll ACL lists as you require (i.e. access, no access, etc)
-go to iis management mmc snap-in
--> right click your website / directory / virtual directory,
-->properties-->security--> change "Account used for anonymous access" to one of the unique users.

This should restrict access to the anonymous accounts as per the dll's ACL list.


yes, alimu's last comment is the way to do it.  you can set a different interactive anonymous user for every web site (or even every sudirectory) to suit.

if you do that, then you may not need to disable the filesystem components at all.

what i do is this:

1. create a new user, give it log on locally rights.
2.  creat a web directory (eg c:\inetpub\userx) and grant read/write/execute rights to the new user and  administrator group only (ie remove ebveryone and iusr etc) - leave system access if you want.
3.  create a new web site, point the web root to the users web directory/
4.  edit the anonymous user, set it to the new user, and enter the password.
5.  alternative step, is you can create an ftp virtual folder from the ftp root called (eg) 'userx' that points to their web root for remote file upload.

now when anyone connects to that web site, IIS will run under the profile of that new user.  so even if that user writes asp code to (for example) create a file somewhere else (assuming you have allowed 'parent paths' to the application profile), if you have not given explicit write access to that user for the location they are trying to do it, the attempt will fail anyhow.

if you want to disable just write access, then just take away write permission to those locations from that user, and iis won;t be able to write there either (because iis will run masqueraded as the user you have set as the 'anonymous user')


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thanks for detail meverest - appreciated.
ouch! a point split would've been nice.
simplyamazingAuthor Commented:
how do you do a point split?  as soon as I accept an answer, I only get an option for a grade (I've never seen anywhere to put points, much less split them).  they should make this system a little more intuitive
I think they're continually working on intuitive, it's a bit of an evolving process :)
Don't worry about the split this time, just have a read and you'll know to do it next time round.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.