Configure User & Group Access on an Intranet 
in Windows NT 4.0 or Windows 2000

  Previous Page | Home  


The information in this article applies to:

*   Microsoft Windows 2000 Server

*   Microsoft Windows 2000 Professional

*   Microsoft Windows NT Server version 4.0

*   Microsoft Internet Information Server version 4.0

*   Microsoft Internet Information Services version 5.0




*   How to Change the NTFS Permissions for a File or Folder

*   How to Change the Virtual Directory or File Security

*   The Access Control Options

*   Notes



The World Wide Web (WWW) and FTP services that are included with Microsoft Internet Information Server and Microsoft Internet Information Services are fully integrated with Windows 2000 user accounts and file access permissions.

Every access to a resource (for example, a file, an HTML page, or an Internet Server API (ISAPI) program) is performed by the services on behalf of a Windows user. The service impersonates the user by supplying a user name and password pair in the attempt to read or run the resource for the client.

back to the top

How to Change the NTFS Permissions for a File or Folder

To change the NTFS permissions for a file or folder:

1.     Click Start , point to Programs , point to Accessories , and then click Windows Explorer .

2.     Locate the file or folder for which you want to set permissions.

3.     Right-click the file or folder, click Properties , and then click the Security tab.

4.     To set up permissions for a new group or user, click Add . Type the name of the group or user for which you want to set permissions by using the domain name \ user name format, and then click OK . To change permissions in Windows NT 4.0, please read the "Permissions" Help topic in Windows NT Help.

5.     To change or remove permissions from an existing group or user, click the name of the group or user.

6.     In Permissions , click Allow or Deny for each permission you want to allow or deny, if necessary. Or, to remove the group or user from the permissions list, click Remove .

NOTE : The Deny permission takes precedence over Allow. Applying Deny to the Everyone group might close the resource to that level of access by anyone, including the administrator.

back to the top

How to Change the Virtual Directory or File Security

To change the virtual directory or file security: You can also use Internet Information Server or Internet Information Services virtual directory access control combined with NTFS access permissions to configure access to specific files in a Web site. After a user is authenticated for the Internet Information Server or Internet Information Services virtual directory, Internet Information Server or Internet Information Services uses the context of the requesting user to gain access to the NTFS file based on the user account, the user rights policy, and the file permissions.

1.     Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager .

2.     In the Internet Information Services snap-in, click a virtual directory, a directory, or a file, and then open its properties.

3.     On the Virtual Directory, Directory, or File tab (as appropriate), click the access control options that you want.

For example, right-click the Scripts virtual directory of the Default Web Site entry, and then click Properties. Click the Virtual Directory tab, and change the access control options.

back to the top

The Access Control Options

The access control options are:

*   Script Source Access: To allow users to access source code if either Read or Write permissions are set, use this option. Source code includes scripts in ASP programs.

NOTE: When you use the Script Source Access option, users may be able to view sensitive information, such as a user name and password, from the scripts in an ASP program. They can also change source code that runs on your server, and seriously affect your server's security and performance. Access to these types of information and functions is best handled through individual Windows accounts and higher-level authentication, such as integrated Windows authentication.

*   Read: To allow users to read or download files or folders and their associated properties, use this option.

*   Write: To allow users to upload files and their associated properties to the enabled folder on your server, or to change the content in a write-enabled file, use this option. Writing can be performed only with a browser that supports the PUT feature of the HTTP 1.1 protocol standard.

*   Directory Browsing: To allow users to see a hypertext listing of the files and subfolders in this virtual directory, use this option. Virtual directories will not appear in directory listings; users must know a virtual directory's alias.

NOTE: Your Web server will display an "Access Forbidden" error message in the user's Web browser if the user attempts to access a file or folder and both of the following conditions are true:

*   Directory browsing is disabled.

*   The user does not specify a file name, such as Filename .htm.

*   Log Visits: To record visits to this folder in a log file, use this option. Visits are recorded only if logging is enabled for this Web site.

*   Index This Resource: To allow Microsoft Indexing Service to include this folder in a full-text index of your Web site, use this option.

back to the top


*   If a virtual directory is on an NTFS drive, the access permissions for the directory must match the settings in Internet Information Server or Internet Information Services. If they do not match, the most restrictive settings are used. For example, if you give a folder Write permission but give a particular user group only Read access permissions in NTFS, those users cannot write files to the folder because the Read permission is more restrictive.

*   When you use NTFS permissions in conjunction with security options in Internet Information Server or Internet Information Services, you can grant or restrict access to specific users or groups to view only the portions of the Web site you want them to view. 

This article was excerpted from the Microsoft Knowledge Base per educational agreement.