File Access Rights for downloading through a web page with IIS6

This may be very basics I did not grasp.
I have a web page with some file download links (.Zip and .MSI). All this runs on a Win 2003 Web Server with an active directory installed. The files are on different physical folders with virtual folders pointing to it in IIS. (Frontpage Extension 2002 is on, if this is a factor)
For the access rights I have several groups with read (only) access rights. I create users which are only in this one group in the active directory. The physical folders containing the files have different groups in the security list, depending on which group I will allow to download the files.
Here is the problem:
When I play a user and click on a link to a file to download in my web page, the user name and password is asked. If OK, the file can be downloaded. So far so good.  But after this, any other link to files in folders NOT containing the group of the logged user can also be downloaded. A logged-in user can access all the files through all the links in the page, even if his group is not listed in the folders security tab or in the inheritng files within. Why?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Go to the virtual server folder in Explorer, and permissions > advanced then reset the apply security to all child objects.

It's possible you moved a file from a secured folder on the same hard drive as your virtual server folder. If that's the case, then the file will not get the parent folder settings you set up, you have to either copy it into the folder then delete the original or move the file then reset the security...

to check your security get "accessenum" from - this will list out the folder security then any differences in subfolders or files...

if all that fails you can try denying integrated authentication - On the virtual server Directory Security tab got to edit authentication and access control then untick all authentication options except Anonymous access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.