This is driving my absolutely crazy.
I have a site in which I have disabled anonymous authentication and enabled Windows authentication.
The only NTFS permissions on the directory on disk that corresponds to the site are SYSTEM and my domain account. The directory is not inheriting any permissions from the parent directory.
When I visit the URL, I get the proper username and password prompt that one would expect from windows authentication; however ANY valid domain account can log in. It is not restricting it to the sole domain account listed on the NTFS permissions. If I enter an account that does not exist or a valid account with an invalid password, the login will fail.
I just want IIS to restrict the login to the account listed in the NTFS permissions!
What in the world am I missing?