We have websites setup on a Windows 2003 Web edition using IIS6. Two of the websites require an admin folder to have passwords to allow access to the folders. Each website is in its own directory under a \Webs folder.
The standard security permissions are set on the "\webs" folder and subfolder.
SERVER\Administrator -> Full Control
Creator Owner -> Special
System -> Full Control
SERVER\Users -> Read & Execute, List Folder Contents, Read
I have created two new user accounts UserA and UserB and removed them from the Users group.
In the IIS6 snap-in I have set the properties of each \admin folder by un-checking enable anonymous access then going into permissions and adding the users to (A or B) to their associated website.
In both websites accessing the www.domain.com\admin\
folder prompts for a username and password and will allow access if supplied. However, UserA can use their username/password in UserB's website and UserB can use their username/password to access UserA's admin folder.
Can anyone explain to me what I am doing wrong and more imprortantly how to correct this? Each user should only have access to their domain's admin sub-folder.
Thank you for your time.