IIS 7 Windows Authentication allows any domain account

This is driving my absolutely crazy.

I have a site in which I have disabled anonymous authentication and enabled Windows authentication.

The only NTFS permissions on the directory on disk that corresponds to the site are SYSTEM and my domain account.  The directory is not inheriting any permissions from the parent directory.

When I visit the URL, I get the proper username and password prompt that one would expect from windows authentication; however ANY valid domain account can log in.  It is not restricting it to the sole domain account listed on the NTFS permissions.  If I enter an account that does not exist or a valid account with an invalid password, the login will fail.

I just want IIS to restrict the login to the account listed in the NTFS permissions!

What in the world am I missing?
Who is Participating?
Shreedhar EtteCommented:

Use URL authorization for this.

Refer this:

Hope this helps,
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.