Ok, I think it is possible that you are confusing the types of permissions although I could be mistaken -- so please do not take offense if this is an incorrect assumption.
When dealing with a default site created in IIS you have two sets of permissions available if you use Anonymous Access with IUSR and Integrated Windows Authentication is enabled:
IIS Permissions
NTFS Permissions
IIS permissions are typicaly controlled/configured using the IIS mmc whereas NTFS permissions are controled using the NT ACL ( Access Control List) which is accessed by Right-Clicking a file, Properties, Security.
In IIS I always use the default permissions and use the NT ACL to exert more stringent control on the directories and files.
Depending if the user is local to the site, meaning if the site is being accessed via
then the security context changes slightly since the user at least had logon permissions in the first place to access localhost. So, to simplify things, let's assume all access to the ASP file is from a remote client, and for example we will use the URL
When the user executes this request in the browser (the http client) at the URL
and the above conditions are true (IIS has Anonymous Access and Intergrated Auth enabled and the Anon user is IUSR), then IIS will use the ACL on the file requested and determine if IUSR has permission or not.
So, say you have the default settings in IIS, and you do not want the remote user to access the file, you would modify the ACL and remove IUSR -- this has nothing to do with changing permissions in IIS; only on the file that you wish to restrict access.
The exception to the rule is the default
Users Group entry in the ACL that is by default set on new files and folders -- assuming you have not modified the original ACL on the file you want to restrict. This means that if a remote client logs in with NT credentials, and they are in the Users Group, they can access this script from the browser. If this is the case and you would like to restrict the access to the file from the Users Group you would remove the Users Group entry in the ACL on that directory and/or file.
Hope this helps.
-a6m1n0
Curiosity only kills cats.