The information in this article applies to:
Microsoft Windows 2000 Server
The World Wide Web (WWW) and FTP services that are included with Microsoft
Internet Information Server and Microsoft Internet Information Services are
fully integrated with Windows 2000 user accounts and file access permissions.
Every access to a resource (for example, a file, an HTML page, or an Internet
Server API (ISAPI) program) is performed by the services on behalf of a Windows
user. The service impersonates the user by supplying a user name and password
pair in the attempt to read or run the resource for the client.
back to the top
To change the NTFS permissions for
a file or folder:
1.
Click
Start , point to Programs , point to Accessories , and
then click Windows Explorer .
2.
Locate
the file or folder for which you want to set permissions.
3.
Right-click
the file or folder, click Properties , and then click the Security tab.
4.
To
set up permissions for a new group or user, click Add . Type the name of
the group or user for which you want to set permissions by using the domain
name \ user name format, and then click OK . To change
permissions in Windows NT 4.0, please read the "Permissions" Help
topic in Windows NT Help.
5.
To
change or remove permissions from an existing group or user, click the name of
the group or user.
6.
In Permissions
, click Allow or Deny for each permission you want to allow
or deny, if necessary. Or, to remove the group or user from the permissions
list, click Remove .
NOTE : The Deny permission takes precedence over Allow. Applying Deny to
the Everyone group might close the resource to that level of access by anyone,
including the administrator.
To change the virtual directory or
file security: You can also use Internet Information Server or Internet
Information Services virtual directory access control combined with NTFS access
permissions to configure access to specific files in a Web site. After a user
is authenticated for the Internet Information Server or Internet Information
Services virtual directory, Internet Information Server or Internet Information
Services uses the context of the requesting user to gain access to the NTFS
file based on the user account, the user rights policy, and the file
permissions.
1.
Click
Start, point to Programs, point to Administrative Tools,
and then click Internet Services Manager .
2.
In
the Internet Information Services snap-in, click a virtual directory, a
directory, or a file, and then open its properties.
3.
On
the Virtual Directory, Directory, or File tab (as
appropriate), click the access control options that you want.
For example, right-click the Scripts virtual directory of the Default
Web Site entry, and then click Properties. Click the Virtual
Directory tab, and change the access control options.
The access control options are:
Script Source Access: To allow users to access source code if either Read
or Write permissions are set, use this option. Source code includes scripts in
ASP programs.
NOTE: When you use the Script
Source Access option, users may be able to view sensitive information, such
as a user name and password, from the scripts in an ASP program. They can also
change source code that runs on your server, and seriously affect your server's
security and performance. Access to these types of information and functions is
best handled through individual Windows accounts and higher-level authentication,
such as integrated Windows authentication.
Read: To allow users to read or download files or folders and their
associated properties, use this option.
Write: To allow users to upload files and their associated properties to
the enabled folder on your server, or to change the content in a write-enabled
file, use this option. Writing can be performed only with a browser that
supports the PUT feature of the HTTP 1.1 protocol standard.
Directory Browsing: To allow users to see a hypertext listing of the files
and subfolders in this virtual directory, use this option. Virtual directories
will not appear in directory listings; users must know a virtual directory's
alias.
NOTE: Your Web server will display an
"Access Forbidden" error message in the user's Web browser if the
user attempts to access a file or folder and both of the following conditions
are true:
Directory browsing is disabled.
The user does not specify a file name, such as Filename
.htm.
Log Visits: To record visits to this folder in a log file, use this
option. Visits are recorded only if logging is enabled for this Web site.
Index This Resource: To allow Microsoft Indexing Service to include this
folder in a full-text index of your Web site, use this option.
If a virtual directory is on an NTFS drive, the access
permissions for the directory must match the settings in Internet Information
Server or Internet Information Services. If they do not match, the most restrictive
settings are used. For example, if you give a folder Write permission but give
a particular user group only Read access permissions in NTFS, those users
cannot write files to the folder because the Read permission is more
restrictive.
When you use NTFS permissions in conjunction with security
options in Internet Information Server or Internet Information Services, you
can grant or restrict access to specific users or groups to view only the
portions of the Web site you want them to view.
This article was excerpted from the 
Microsoft
Knowledge Base per educational agreement.