Securing internal IIS site

Is there a way to secure an internal IIS so only a select few users have access to it? If I select Integrated Windows Authentication and set security to the home directory folder for the IIS site to only some people, everyone else can still access it. If I set it to Basic Authentication then users get prompted for the credentials but still everyone can get access to the site.

P.S. This is only for intranet, so using basic authentication is not a security threat.
misengineersAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ted BouskillSenior Software DeveloperCommented:
I'm assuming you are setting folder permissions on the physical folders?  If yes, that doesn't control access to the site.

There are actually three aspects to security in a web application.  One is defining authentication to access the site, two is what you can do within the site and three is the permissions of the processes you trigger when you are executing server side code.

Windows or Basic authentication in IIS is all or nothing.  You can't control granular access.  In order to control access more precisely you have to use ASP.NET and use a web.config file with 'Windows' authentication configured to set access rights to specific folders or files.
misengineersAuthor Commented:
The only thing I dont understand is when they talk about creating a directory in step 1. Where do I create it? In the sites directory? In the windows directory?

And as far as web.config file, do I just create it in the sites directory? I see the File Location within ASP.net is pointing to the site, but it's not created automatically.
asp.net.png
Ted BouskillSenior Software DeveloperCommented:
Folders in IIS are mapped to physical folders on your hard drive.  You can locate your physical web application files anywhere on the server and then assign the website root to that physical folder.  The root is where the web.config would be located.  However, .NET supports nested web.config files so you can actually add additional web.config files in sub-folders or even create alternate web applications in virtual sub-folders.
bbaoIT ConsultantCommented:
> Where do I create it? In the sites directory? In the windows directory?

basically, under Sites directory, by using IIS management console.

i believe the following MSKB articles could answer your additional questions. they are suitable for IIS6 as well.

How To Create a Virtual Directory in Internet Information Services (IIS)
http://support.microsoft.com/kb/172138

How To Create the Web.config File for an ASP.NET Application
http://support.microsoft.com/kb/815179

hope it helps,
bbao

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
misengineersAuthor Commented:
Thanks guys! That's what I needed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.