Hi all,
If in an ASP program, I need to display a pdf file link for users to print
and read. Is there any security issue? We are thinking about doing this is
many mail servers block emails with pdf file attachment. We just try to give
an opportunity to users to print the document themselves instead of
completely depending on email delivery.
Thank you.
--
Betty
=?Utf-8?B?YzY3NjIyOA==?= wrote on 31 jan 2007 in
microsoft.public.inetserver.asp.general:
> If in an ASP program, I need to display a pdf file link for users to
> print and read. Is there any security issue? We are thinking about
> doing this is many mail servers block emails with pdf file attachment.
> We just try to give an opportunity to users to print the document
> themselves instead of completely depending on email delivery.
You van just put the pdf file on the website, and as long as your users do
not divulge the address, it is safe, just as safe as if you send them the
file and they can send it to anyone other.
You could put the file behind a password, using ASP.
Showing the content of a directory is not necessary at all.
You can place a dummy index.asp or switch the IIS to no show.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Hi Evertjan,
The pdf file is unique to every user who purchased on our web iste. So it is
not a generice pdf file. Could you explain a little more "Showing the content
of a directory is not necessary at all.
> You can place a dummy index.asp or switch the IIS to no show." I don't get it yet.
Thank you.
--
Betty
"Evertjan." wrote:
> =?Utf-8?B?YzY3NjIyOA==?= wrote on 31 jan 2007 in
> microsoft.public.inetserver.asp.general:
>
> > If in an ASP program, I need to display a pdf file link for users to
> > print and read. Is there any security issue? We are thinking about
> > doing this is many mail servers block emails with pdf file attachment.
> > We just try to give an opportunity to users to print the document
> > themselves instead of completely depending on email delivery.
>
> You van just put the pdf file on the website, and as long as your users do
> not divulge the address, it is safe, just as safe as if you send them the
> file and they can send it to anyone other.
>
> You could put the file behind a password, using ASP.
>
> Showing the content of a directory is not necessary at all.
> You can place a dummy index.asp or switch the IIS to no show.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
>
=?Utf-8?B?YzY3NjIyOA==?= wrote on 31 jan 2007 in
microsoft.public.inetserver.asp.general:
>> You can place a dummy index.asp or switch the IIS to no show." I
>> don't get it yet.
[Please do not toppost on usenet]
> The pdf file is unique to every user who purchased on our web iste. So
> it is not a generice pdf file.
That does not matter, if the pdf file has a location in one of your web
directories, it can be reached from the web if you tell your customer where
it is in a link you sent him.
> Could you explain a little more
> "Showing the content of a directory is not necessary at all.
Why would it be necessary? Why would you plan to show it?
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
"c676228"
news:507ECE80-AB31-4AFF-A418-7CD063952750@microsoft.com...
> Hi Evertjan,
> The pdf file is unique to every user who purchased on our web iste. So it
is
> not a generice pdf file. Could you explain a little more "Showing the
content
> of a directory is not necessary at all.
> > You can place a dummy index.asp or switch the IIS to no show." I don't
get it yet.
>
Is it important to restrict users to seeing only their reports and not
others?
I'll guess yes.
In that case you definitely will not want to give directory browsing to the
users.
Do these users receiving the email have a username and password they need to
use to access the web site?
If so then email them a link which requires them to enter their username and
password before redirecting to the PDF.
If not then email then some form of security can be acheived by incluing a
GUID in the a link to the PDF.
Anthony.
Anthony Jones wrote on 01 feb 2007 in
microsoft.public.inetserver.asp.general:
>
> "c676228"
> news:507ECE80-AB31-4AFF-A418-7CD063952750@microsoft.com...
>> Hi Evertjan,
>> The pdf file is unique to every user who purchased on our web iste.
>> So it
> is
>> not a generice pdf file. Could you explain a little more "Showing the
> content
>> of a directory is not necessary at all.
>> > You can place a dummy index.asp or switch the IIS to no show." I
>> > don't
> get it yet.
>>
>
> Is it important to restrict users to seeing only their reports and not
> others?
>
> I'll guess yes.
>
> In that case you definitely will not want to give directory browsing
> to the users.
>
> Do these users receiving the email have a username and password they
> need to use to access the web site?
>
> If so then email them a link which requires them to enter their
> username and password before redirecting to the PDF.
>
> If not then email then some form of security can be acheived by
> incluing a GUID in the a link to the PDF.
A fairly safe way is to use a use-once-web-address.
So the client giving away the address would not be very usefull.
How?
Make an ASP file with an unique name, like
http://domain.xyz/useoncedir/user+password+thepdfname.asp
Program it to download the pdf using a bitstream,
and immediately, or after a fixed time, say 10 minutes,
delete that asp file. The pdf location is kept secret.
The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/
so that the asp file does not have to exist,
and the virtual asp file could even be named:
http://domain.xyz/useoncedir/user+password+thepdfname.pdf
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
"Evertjan."
news:Xns98CA66DC7A7C1eejj99@194.109.133.242...
> Anthony Jones wrote on 01 feb 2007 in
> microsoft.public.inetserver.asp.general:
>
> >
> > "c676228"
> > news:507ECE80-AB31-4AFF-A418-7CD063952750@microsoft.com...
> >> Hi Evertjan,
> >> The pdf file is unique to every user who purchased on our web iste.
> >> So it
> > is
> >> not a generice pdf file. Could you explain a little more "Showing the
> > content
> >> of a directory is not necessary at all.
> >> > You can place a dummy index.asp or switch the IIS to no show." I
> >> > don't
> > get it yet.
> >>
> >
> > Is it important to restrict users to seeing only their reports and not
> > others?
> >
> > I'll guess yes.
> >
> > In that case you definitely will not want to give directory browsing
> > to the users.
> >
> > Do these users receiving the email have a username and password they
> > need to use to access the web site?
> >
> > If so then email them a link which requires them to enter their
> > username and password before redirecting to the PDF.
> >
> > If not then email then some form of security can be acheived by
> > incluing a GUID in the a link to the PDF.
>
> A fairly safe way is to use a use-once-web-address.
>
> So the client giving away the address would not be very usefull.
>
> How?
>
> Make an ASP file with an unique name, like
> http://domain.xyz/useoncedir/user+password+thepdfname.asp
> Program it to download the pdf using a bitstream,
> and immediately, or after a fixed time, say 10 minutes,
> delete that asp file. The pdf location is kept secret.
>
> The whole thing can be made virtual using a custom 404.asp,
> catching all requests for:
> http://domain.xyz/useoncedir/
> so that the asp file does not have to exist,
> and the virtual asp file could even be named:
> http://domain.xyz/useoncedir/user+password+thepdfname.pdf
>
One Caveat, I would not send out URL in an email that include the users
name and password. Use a GUID it's unique.
If there is an additonal requirement that we don't want the user to view the
content and then later view it again (or give the URL to someone else to
view which seems a bit draconian to me) then you can still use an ASP file
to deliver the content but limit the time the content can be view after
first use. There is not need of a 404 trick though put the GUID in the
query string to a single ASP page.
Hi Anthony and Everjan,
Thank you both for the ideas. I did use GUID to display a unique pdf to a
customer.
In order to hide the real pdf directory,
Here I think I can use Everjan's idea: make that link temporarily and
remove that pdf after like 10- 15 min. and thus we can hide the real pdf
directory.
Can you tell me what is the best way to
"The whole thing can be made virtual using a custom 404.asp,
catching all requests for:
http://domain.xyz/useoncedir/"
Thank you.
--
Betty
"Evertjan." wrote:
> Anthony Jones wrote on 01 feb 2007 in
> microsoft.public.inetserver.asp.general:
>
> >
> > "c676228"
> > news:507ECE80-AB31-4AFF-A418-7CD063952750@microsoft.com...
> >> Hi Evertjan,
> >> The pdf file is unique to every user who purchased on our web iste.
> >> So it
> > is
> >> not a generice pdf file. Could you explain a little more "Showing the
> > content
> >> of a directory is not necessary at all.
> >> > You can place a dummy index.asp or switch the IIS to no show." I
> >> > don't
> > get it yet.
> >>
> >
> > Is it important to restrict users to seeing only their reports and not
> > others?
> >
> > I'll guess yes.
> >
> > In that case you definitely will not want to give directory browsing
> > to the users.
> >
> > Do these users receiving the email have a username and password they
> > need to use to access the web site?
> >
> > If so then email them a link which requires them to enter their
> > username and password before redirecting to the PDF.
> >
> > If not then email then some form of security can be acheived by
> > incluing a GUID in the a link to the PDF.
>
> A fairly safe way is to use a use-once-web-address.
>
> So the client giving away the address would not be very usefull.
>
> How?
>
> Make an ASP file with an unique name, like
> http://domain.xyz/useoncedir/user+password+thepdfname.asp
> Program it to download the pdf using a bitstream,
> and immediately, or after a fixed time, say 10 minutes,
> delete that asp file. The pdf location is kept secret.
>
> The whole thing can be made virtual using a custom 404.asp,
> catching all requests for:
> http://domain.xyz/useoncedir/
> so that the asp file does not have to exist,
> and the virtual asp file could even be named:
> http://domain.xyz/useoncedir/user+password+thepdfname.pdf
>
>
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
>
c676228 wrote:
> Hi Anthony and Everjan,
> Thank you both for the ideas. I did use GUID to display a unique pdf
> to a customer.
> In order to hide the real pdf directory,
> Here I think I can use Everjan's idea: make that link temporarily and
> remove that pdf after like 10- 15 min. and thus we can hide the real
> pdf directory.
> Can you tell me what is the best way to
> "The whole thing can be made virtual using a custom 404.asp,
> catching all requests for:
> http://domain.xyz/useoncedir/"
Do you know how to use the IIS Management Console to assign a custom script
for 404 errors?
If so, create an empty application -- for example, /UseOnce/ -- on your
website, and assign such a script for that application. In that script,
examine Request.QueryString. It will contain the full requested URL. Now you
can parse it.
In fact, all of the desired DATA in that URL comes after the string
/UseOnce/, so you can strip everything before it out:
URL:
http://your.domain.com/UseOnce/6CA825B0-2096-43ED-94E0-8C811 E45CFB2
JScript:
var Data = Request.QueryString.replace(/.*\/UseOnce\//,"")
VBScript:
Set RX = new RegExp
RX.Pattern = ".*/UseOnce/"
Data = RX.Replace(Request.QueryString,"")
In either example, the variable [Data] contains the string
"6CA825B0-2096-43ED-94E0-8C811E45CFB2". Go from there.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
=?Utf-8?B?YzY3NjIyOA==?= wrote on 02 feb 2007 in
microsoft.public.inetserver.asp.general:
> Hi Anthony and Everjan,
> Thank you both for the ideas. I did use GUID to display a unique pdf
> to a customer.
> In order to hide the real pdf directory,
> Here I think I can use Everjan's idea: make that link temporarily and
> remove that pdf after like 10- 15 min. and thus we can hide the real
> pdf directory.
> Can you tell me what is the best way to
> "The whole thing can be made virtual using a custom 404.asp,
> catching all requests for:
> http://domain.xyz/useoncedir/"
>
[Please do not toppost on usenet]
In custom 404.asp,
do something like this,
[this actual code not tested debug as required]
<%
qstr = lcase(Request.ServerVariables("QUERY_STRING"))
'' this is my default picture if I have the link wrong:
if right(qstr,4)=".jpg" or right(qstr,4)=".gif" then
response.redirect "/noPicFound404.gif"
end if
if instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 then
x = instr(qstr,"/useoncedir/")+len("/useoncedir/")
once = mid(qstr,x,99)
strFileName = "/secretfile102938/" & once
strFilePath = server.mappath(strFilename)
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
ok = false
if once = "file123.pdf" and now<#2007/02/02 23:27# then ok=true
if once = "file456.pdf" and now<#2007/02/03 20:27# then ok=true
if once = "file78A.pdf" and now<#2007/02/03 05:27# then ok=true
''' better use a database but the above is a simple form
if objFSO.FileExists(strFilePath) AND ok then
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile strFilePath
Response.Buffer = false
Response.ContentType = "application/pdf"
Response.AddHeader "Content-Type", "application/pdf"
Response.AddHeader "Content-Disposition","inline;filename="&once
Response.BinaryWrite objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing
else
response.write "Sorry, nonexisting file"
end if
Set objFSO = Nothing
Response.end
end if
%>
........
This is the 404 page
........
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Evertjan,
Thank you so much for your detailed instruction. It's very helpful. I am
wondering why you use " if
instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
"if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;" here
for?
When a page is request, based on your idea, what I need to do is get file
name from the query string and check the file name and timestamp in the
database, if the file exists and meet the time requirement, transfer the
file, otherwise, display an error page. Thank you.
--
Betty
"Evertjan." wrote:
> =?Utf-8?B?YzY3NjIyOA==?= wrote on 02 feb 2007 in
> microsoft.public.inetserver.asp.general:
>
> > Hi Anthony and Everjan,
> > Thank you both for the ideas. I did use GUID to display a unique pdf
> > to a customer.
> > In order to hide the real pdf directory,
> > Here I think I can use Everjan's idea: make that link temporarily and
> > remove that pdf after like 10- 15 min. and thus we can hide the real
> > pdf directory.
> > Can you tell me what is the best way to
> > "The whole thing can be made virtual using a custom 404.asp,
> > catching all requests for:
> > http://domain.xyz/useoncedir/"
> >
>
> [Please do not toppost on usenet]
>
> In custom 404.asp,
> do something like this,
> [this actual code not tested debug as required]
>
> <%
> qstr = lcase(Request.ServerVariables("QUERY_STRING"))
>
> '' this is my default picture if I have the link wrong:
> if right(qstr,4)=".jpg" or right(qstr,4)=".gif" then
> response.redirect "/noPicFound404.gif"
> end if
>
> if instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 then
> x = instr(qstr,"/useoncedir/")+len("/useoncedir/")
> once = mid(qstr,x,99)
> strFileName = "/secretfile102938/" & once
> strFilePath = server.mappath(strFilename)
> Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
>
> ok = false
> if once = "file123.pdf" and now<#2007/02/02 23:27# then ok=true
> if once = "file456.pdf" and now<#2007/02/03 20:27# then ok=true
> if once = "file78A.pdf" and now<#2007/02/03 05:27# then ok=true
> ''' better use a database but the above is a simple form
>
> if objFSO.FileExists(strFilePath) AND ok then
> Set objStream = Server.CreateObject("ADODB.Stream")
> objStream.Open
> objStream.Type = 1
> objStream.LoadFromFile strFilePath
> Response.Buffer = false
> Response.ContentType = "application/pdf"
> Response.AddHeader "Content-Type", "application/pdf"
> Response.AddHeader "Content-Disposition","inline;filename="&once
> Response.BinaryWrite objStream.Read
> Response.Flush
> objStream.Close
> Set objStream = Nothing
> else
> response.write "Sorry, nonexisting file"
> end if
> Set objFSO = Nothing
> Response.end
> end if
> %>
>
> ........
> This is the 404 page
> ........
>
>
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
>
=?Utf-8?B?YzY3NjIyOA==?= wrote on 03 feb 2007 in
microsoft.public.inetserver.asp.general:
> Evertjan,
> Thank you so much for your detailed instruction. It's very helpful. I
> am wondering why you use " if
> instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
> "if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;"
> here for?
> When a page is request, based on your idea, what I need to do is get
> file name from the query string and check the file name and timestamp
> in the database, if the file exists and meet the time requirement,
> transfer the file, otherwise, display an error page. Thank you.
> --
> Betty
>> [Please do not toppost on usenet]
Dear Betty,
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
"c676228"
news:54C75D6B-1233-4471-A022-69F58D08046E@microsoft.com...
> Evertjan,
> Thank you so much for your detailed instruction. It's very helpful. I am
> wondering why you use " if
> instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
> "if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;" here
> for?
When a 404 error occurs IIS invokes the page designated to handle 404 errors
for the folder in which it occured. When this ASP script is executed the
error code generated and full URL of the requested page is placed in the
query string.
In some cases a developer may wish to have one handler page handler several
different error codes. The developer can use this error code prefix to
determine which error invoked the page.
"Evertjan."
news:Xns98CC5CE0584B1eejj99@194.109.133.242...
> =?Utf-8?B?YzY3NjIyOA==?= wrote on 03 feb 2007 in
> microsoft.public.inetserver.asp.general:
>
> > Evertjan,
> > Thank you so much for your detailed instruction. It's very helpful. I
> > am wondering why you use " if
> > instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
> > "if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;"
> > here for?
> > When a page is request, based on your idea, what I need to do is get
> > file name from the query string and check the file name and timestamp
> > in the database, if the file exists and meet the time requirement,
> > transfer the file, otherwise, display an error page. Thank you.
> > --
> > Betty
>
> >> [Please do not toppost on usenet]
>
> Dear Betty,
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing on usenet?
>
In your opinion. Evidently there are plenty of others who do not agree with
you.
Anthony Jones wrote on 03 feb 2007 in
microsoft.public.inetserver.asp.general:
>
> "Evertjan."
> news:Xns98CC5CE0584B1eejj99@194.109.133.242...
[..]
>> > Betty
>>
>> >> [Please do not toppost on usenet]
>>
>> Dear Betty,
>>
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>> A: Top-posting.
>> Q: What is the most annoying thing on usenet?
>>
>
> In your opinion. Evidently there are plenty of others who do not
> agree with you.
No matter Anthony, as you say it is my opinion, and a defendable one.
It seems you have no problem reading the above A-Q sequence, so be it.
Ignoring a polite request is another, if deliberate, with I doubt.
I don't want to condict a usenet conversation that way.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Anthony,
Thank you so much for the explanation. I got it.
--
Betty
"Anthony Jones" wrote:
>
> "c676228"
> news:54C75D6B-1233-4471-A022-69F58D08046E@microsoft.com...
> > Evertjan,
> > Thank you so much for your detailed instruction. It's very helpful. I am
> > wondering why you use " if
> > instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
> > "if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;" here
> > for?
>
> When a 404 error occurs IIS invokes the page designated to handle 404 errors
> for the folder in which it occured. When this ASP script is executed the
> error code generated and full URL of the requested page is placed in the
> query string.
>
> In some cases a developer may wish to have one handler page handler several
> different error codes. The developer can use this error code prefix to
> determine which error invoked the page.
>
>
>
>
Evertjan,
To tell you the truth, it took me a while to figure out what top-post means.
I saw that in one of your other posts and I searched in the dictionary or
even web, but I didn't get the information. Now I get what you mean. Sorry, I
didn't mean to do it.
Probably is my english problem. It is not my regular way to present answer
first and question next, I am not even aware I did it and still wondering...
--
Betty
"Evertjan." wrote:
> Anthony Jones wrote on 03 feb 2007 in
> microsoft.public.inetserver.asp.general:
>
> >
> > "Evertjan."
> > news:Xns98CC5CE0584B1eejj99@194.109.133.242...
> [..]
> >> > Betty
> >>
> >> >> [Please do not toppost on usenet]
> >>
> >> Dear Betty,
> >>
> >> A: Because it messes up the order in which people normally read text.
> >> Q: Why is top-posting such a bad thing?
> >> A: Top-posting.
> >> Q: What is the most annoying thing on usenet?
> >>
> >
> > In your opinion. Evidently there are plenty of others who do not
> > agree with you.
>
> No matter Anthony, as you say it is my opinion, and a defendable one.
>
> It seems you have no problem reading the above A-Q sequence, so be it.
>
> Ignoring a polite request is another, if deliberate, with I doubt.
> I don't want to condict a usenet conversation that way.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
>
c676228 wrote:
> Evertjan,
> To tell you the truth, it took me a while to figure out
> what top-post means.
Seriously? Only four of the top five Google search results on [top post]
directly discuss the topic.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
On Sat, 3 Feb 2007 12:30:21 -0000, "Anthony Jones"
in
>
>"c676228"
>news:54C75D6B-1233-4471-A022-69F58D08046E@microsoft.com...
>> Evertjan,
>> Thank you so much for your detailed instruction. It's very helpful. I am
>> wondering why you use " if
>> instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
>> "if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;" here
>> for?
>
>When a 404 error occurs IIS invokes the page designated to handle 404 errors
>for the folder in which it occured. When this ASP script is executed the
>error code generated and full URL of the requested page is placed in the
>query string.
How or where do you find this folder specificity in W2K Server?
---
Stefan Berglund
"Stefan Berglund"
news:q4q9s2h1ardeivq42cbese7fjdu62jpdfp@4ax.com...
> On Sat, 3 Feb 2007 12:30:21 -0000, "Anthony Jones"
>
> in
>
> >
> >"c676228"
> >news:54C75D6B-1233-4471-A022-69F58D08046E@microsoft.com...
> >> Evertjan,
> >> Thank you so much for your detailed instruction. It's very helpful. I
am
> >> wondering why you use " if
> >> instr(qstr,"404;http://domain.xyz:80/useoncedir/")>0 " instead of
> >> "if instr(qstr,"http://domain.xyz:80/useoncedir/")>0", what is "404;"
here
> >> for?
> >
> >When a 404 error occurs IIS invokes the page designated to handle 404
errors
> >for the folder in which it occured. When this ASP script is executed the
> >error code generated and full URL of the requested page is placed in the
> >query string.
>
> How or where do you find this folder specificity in W2K Server?
Strictly speaking there isn't one. All properies are specific to the path
including the file name. However you have to jump through hoops to create a
404 handler specific to a file that doesn't actually exist hence the closest
you can get in practical terms is the immediate container of the file.
IIS stores the a set of custom error handlers for a path in a metabase
property 'HttpErrors' which is simply a list of error codes and the pages
that handle them.
Initiailly this property is only actually found in /LM/W3SVC/ all the sites
and folders under the sites inherit this property. Whenever this property
exists in a path down to the file itself the most specific entry is used.
Anthony.
"Stefan Berglund" wrote:
>> When a 404 error occurs IIS invokes the page designated to handle
>> 404 errors for the folder in which it occured. When this ASP script
>> is executed the error code generated and full URL of the requested
>> page is placed in the query string.
>
> How or where do you find this folder specificity in W2K Server?
Use the IIS Management console, and right-click on the folder. Point the 404
error to the script of your choice.
It's a bit more convoluted in IIS7, but the concept is essentially the same.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.