Securing Sites with Web Site Permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Web site permissions are not meant to be used in place of NTFS permissions. Instead, they are used with NTFS permissions to strengthen the security of your Web site content. You can configure your Web site's access permissions for specific sites, directories, and files. Unlike NTFS permissions, Web site permissions affect everyone who tries to access your Web site.

The following conditions apply to setting permissions:

  • If Web site permissions conflict with NTFS permissions for a directory or file, the more restrictive settings are applied.

  • Disabling permissions restricts all users. For example, disabling the Read permission restricts all users from viewing a file, regardless of the NTFS permissions applied to those users' accounts. However, enabling the Read permission can allow all users to view that file, unless NTFS permissions that restrict access have also been applied.

  • If both IIS and NTFS permissions are set, the permissions that explicitly deny access take precedence over permissions that grant access.


You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".


To set permissions for Web content (including WebDAV)

  1. In IIS Manager, double-click the local computer; right-click the Web Sites folder, an individual Web site folder, a virtual directory, or a file; and then click Properties.


    Configuration settings made at the Web Sites level are inherited by all of the Web sites on the server. You can override inheritance by configuring the individual site or site element.

  2. On the Home Directory, Virtual Directory, or File property sheet, select or clear any of the following check boxes (if available):

    • Read (selected by default) Users can view directory or file content and properties.

    • Write Users can change directory or file content and properties.

    • Script Source Access Users can access source files. If Read is selected, then source can be read, if Write is selected, then source can be written to. Script Source Access includes the source code for scripts. This option is not available if neither Read nor Write is selected.


      When you select Script source access, users might be able to view sensitive information, such as a user name and password. They might also be able to change source code that runs on your server, and thereby significantly affect your server's configuration and performance.

    • Directory browsing Users can view file lists and collections.

    • Log visits A log entry is created for each visit to the Web site.

    • Index this resource Allows Indexing Service to index this resource. This allows searches to be performed on the resource.

  3. Under Execute Permissions select the appropriate level of script execution:

    • None Do not run scripts or executables on the server.

    • Scripts only Run only scripts on the server.

    • Scripts and Executables Run both scripts and executables on the server.

  4. Click OK.