This may be very basics I did not grasp.
I have a web page with some file download links (.Zip and .MSI). All this runs on a Win 2003 Web Server with an active directory installed. The files are on different physical folders with virtual folders pointing to it in IIS. (Frontpage Extension 2002 is on, if this is a factor)
For the access rights I have several groups with read (only) access rights. I create users which are only in this one group in the active directory. The physical folders containing the files have different groups in the security list, depending on which group I will allow to download the files.
Here is the problem:
When I play a user and click on a link to a file to download in my web page, the user name and password is asked. If OK, the file can be downloaded. So far so good. But after this, any other link to files in folders NOT containing the group of the logged user can also be downloaded. A logged-in user can access all the files through all the links in the page, even if his group is not listed in the folders security tab or in the inheritng files within. Why?