User(s) able to see doc library AFTER removed from permissions list

[JonathanHerschel]

I am seeing a problem where SharePoint users are able to see restricted material after they were removed from having permissions to access.

I have a document library created on TopSite1/SubsiteA where if you break permissions from the site, all users that don't have permissions cannot see the document library in the QuickLaunch on the left, and will get Access Denied if typing in the URL.

But, I then create a document library on TopSite2/SubsiteA and after I break permissions from the site, both test users I am using can still see the document library on the QuickLaunch, and can see all document and all folders inside. They do not have permissions via MANAGE PERMISSIONS --> remove users.

I don't understand how this could be. Both TopSite1 and TopSite2 are in the same Site Collection. This is WSS. I don't know of any site to site settings such as anonymous or read only settings.

The same users were used to test both document libraries, so this isn't a user problem.
Has anyone ever seen such an issue? Any suggestions are appreciated.
Thanks

 

[dinger2121]

are you checking your list permissions to ensure that the users do not have access directly to the list?

carl
MCSD, MCTS:MOSS

 

[JonathanHerschel]

Sorry, I should have been more clear.

I went into the doc library permissions and removed users from it. I even removed myself. But after that was done, I and other user accounts are still able to see the document library and all contents therein. So permissions were 'edited' on the doc library level. Permissions were checked in all folders and the documents and my account and other accounts are not included...

I wonder if there are some sort of server or web app settings that could allow everyone read all or anonymous access...but then again...why does this work on another site in the same Site Collection...very strange...


thanks.

Jonathan K Herschel

 

[SPV]

Do they (and you) have permissions through some other user group? Perhaps a domain group?

To answer your other question, there is a way in WSS (and MOSS) of granting overarching access but it only operates at the web application level. It's generally how you allow the Search service crawl account to view all content. You'll find the settings on the "Policy for Web Application" page of the Admin Console (under the Application Security heading on the Application Management tab). But this operates above the site collection level, so I doubt it's coming into play in your scenario.

 

[JonathanHerschel]

I found the issue - Anonymous access is enabled. When I go into Central Admin > Application Management > Authentication Providers > Edit Authentication, the Internet Zone had Anonymous Access ENABLED. So, the reason why some document libraries where able to be restricted (permissions broken from inherited parent) was because Anonymous Access Settings were set to Nothing on the site where I could create a restricted library, and set to Entire Web Site on the sites where I tried to break permissions, but all users could still see library and contents. To enable/disable at a site level, add the following after the Site URL:
“_layouts/setanon.aspx”

Setting:
Entire Web Site = could not create restricted content
Nothing = was able to create restricted content

Also, this was at one of my clients, so I did not know Anonymous Access was enabled at the Central Admin level.

Thanks to all who posted their thoughts!







Jonathan K Herschel