I've recently have updated my application to IIS 7.5 and ASP .Net 4 from IIS ? and ASP .Net 2.0 so I am new to this issue and frankly unaware that it was happening. I've tried for a couple of weeks and I still can download documents in a secure folder while I'm not able to access the .aspx pages.
So we have a couple secure folders that have data that is not particularly sensitive but not intended for the public view. I've been trying to implement the IIS rules in the .Net web.config to restrict download of static content (e.g., .pdf, .png). So there are two separate folder structures and the business requirement to have the web.config settings for access to the sub folders in the subfolder itself not the root of the application. I found several good websites, too many to list them, that state that the customErrors section in the web.config only controls the ASP .Net content (e.g., .aspx pages). The new web.config settings restrict access to the pages in the secure folders but not to static content. What am I doing wrong?
I dynamically generate the roles that have access to the secure folders so it would be best to utilize the web.config settings inside the sub folders. The documents and images are in subfolders of the folder that is in the web.config. My assumption is that the denial would pass through to the subfolders but I'm attempting to test that now.
Here is the root web.config security settings
<!--<customErrors mode="On" defaultRedirect="~/error.aspx">
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="RoleManager" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
<httpErrors errorMode="Custom" existingResponse="Replace" defaultResponseMode="ExecuteURL" >
<!-- remove/add status codes here (removed) -->
Here is the root web.config settings. I deny everyone for testing purposes. The pages redirect to login even after every successful login and page attempt. The static content is still served (e.g., .txt, .pdf). Notice here the docs or img folder is not reference and I believe inherits the web.config from the folder above.
<deny users='*' />