Securing internal IIS site

Is there a way to secure an internal IIS so only a select few users have access to it? If I select Integrated Windows Authentication and set security to the home directory folder for the IIS site to only some people, everyone else can still access it. If I set it to Basic Authentication then users get prompted for the credentials but still everyone can get access to the site.

P.S. This is only for intranet, so using basic authentication is not a security threat.
Who is Participating?
bbaoIT ConsultantCommented:
> Where do I create it? In the sites directory? In the windows directory?

basically, under Sites directory, by using IIS management console.

i believe the following MSKB articles could answer your additional questions. they are suitable for IIS6 as well.

How To Create a Virtual Directory in Internet Information Services (IIS)

How To Create the Web.config File for an ASP.NET Application

hope it helps,
Ted BouskillSenior Software DeveloperCommented:
I'm assuming you are setting folder permissions on the physical folders?  If yes, that doesn't control access to the site.

There are actually three aspects to security in a web application.  One is defining authentication to access the site, two is what you can do within the site and three is the permissions of the processes you trigger when you are executing server side code.

Windows or Basic authentication in IIS is all or nothing.  You can't control granular access.  In order to control access more precisely you have to use ASP.NET and use a web.config file with 'Windows' authentication configured to set access rights to specific folders or files.
misengineersAuthor Commented:
The only thing I dont understand is when they talk about creating a directory in step 1. Where do I create it? In the sites directory? In the windows directory?

And as far as web.config file, do I just create it in the sites directory? I see the File Location within is pointing to the site, but it's not created automatically.
Ted BouskillSenior Software DeveloperCommented:
Folders in IIS are mapped to physical folders on your hard drive.  You can locate your physical web application files anywhere on the server and then assign the website root to that physical folder.  The root is where the web.config would be located.  However, .NET supports nested web.config files so you can actually add additional web.config files in sub-folders or even create alternate web applications in virtual sub-folders.
misengineersAuthor Commented:
Thanks guys! That's what I needed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.