Baffling IIS/ASP Security Issue

Baffling IIS/ASP Security Issue

am 01.02.2008 23:09:18 von Paul

Someone please help me with this perplexing access problem. I've been
struggling all day with it. Here's the scenario: Windows 2003, IIS6,
running Classic ASP application, with basic authentication against our
domain. I've given "engineering users" access to the wwwroot for the site.
So fine, they can access the ASP pages in the site, no problem. However, I
want to give another group "sales group" (same domain) access to just a
certain subfolder of the site (but not the rest of the site). So I added
their group to the subfolder ACL. However, they cannot access the ASP files
in that subfolder (401.3 error) unless I grant them access to the wwroot
(parent) folder, which I don't want to do. What's strange is that they can
access HTML or ASPX files in their subfolder. Just not ASP. Something
about ASP files that wants to look at the wwwroot ACL. I tried to limit
their wwwroot level access, like just granting traverse and list access, but
IIS wants full read access on the root, propagated down. Any ideas how to
fix this while keeping the security tight? Thanks!