Install web application on C-Drive?

My company makes an IIS-based web application that runs on Windows Server 2003. A person at my company is convinced that "nobody should ever install a web application onto the C drive, for security reasons". Therefore, we insist that all our customers create a "D" partition and install the webapp onto that partition.

This notion seems bizarre to me, mainly because, of the thousands of web-security articles I've read, nothing like this has ever been mentioned. And I have installed many web apps from other companies, and they all install to C by default, and none of them recommend to "not install to c".

I am looking for info about this, "for" or "against", backed up by specifics, online articles, and anything else reputable.
LVL 11
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SweatCoderAuthor Commented:
Note: I am looking for as many posts as possible. If somebody else posts something that you agree with, please post and say that you agree, etc., or add anything you'd like. I will split points for a few of the most valuable posts.
Hi SweatCoder,

There are a number of reason why one would want to install a web application on a partition other than the system drive.  Foremost is the number of exploits within IE and web apps that can grant a malicious user access to the file system - putting the application on D: somewhat lessens the chance that the intruder may 'take down' the entire server.

As a general systems administration rule, it is best practice and strongly recommended for any server to have a seperate partition for applications.  C:\ drive should be reserved for OS (and possibly paging) only and D:\, E:\, etc for all other applications (web apps, Office, virus software, etc)

SweatCoderAuthor Commented:
jss1199, that's a well-stated answer, but...can you give me a link to [an] article(s) that backs up your assertion?
I know of a couple that recommend a separate OS partition.  I doubt you will find much *documented* as separating OS from data and applications is entrenched as the de facto best practice....  

Microsoft recommendation - Windows 2000 Security Hardening Guide -

  Excerpt - For servers, we recommend using about 4 GB of space on one disk for the operating system. The remaining space in the system should be reserved for data files, services, utilities and so on. We highly discourage storage of user data files on the boot partition on servers, while on workstations this is acceptable practice which makes it easier for users to locate their data.

Informit -

  Excerpt - It's generally best to keep the operating system on a separate partition from your applications and data. System and boot partitions are where you initially boot from, usually drive C:\

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.