Anonymous Users Have Same Access as Domain Users in IISID: Q147691
|
In Internet Information Server (IIS), you can allow only domain users to access most of the web pages and anonymous users to access specific public web pages using NTFS security permissions. However, you cannot do this if the Internet Information Server is installed on a primary domain controller (PDC).
In IIS, you can allow both anonymous and domain users to access the web pages if you select "allow Anonymous" and "Windows NT Challenge/Response" in WWW Service Properties. You can then use the NTFS security permissions to specify access to the Web server contents. IIS creates a special account called IUSR_<ComputerName> for anonymous logons. However, if you install IIS on a PDC, the IUSR_<ComputerName> account becomes a member of Domain Users. As a result, anonymous users have the same access as the Domain Users.
To correct this problem, remove IUSR_<ComputerName> from Domain User
global group and add it to the Guest group using User Manager for Domains.
NOTE: Any user account that you create on a PDC automatically becomes a
member of the Domain Users group.
Additional query words: prodiis
Keywords : kbnetwork iissecurity
Version : 1.0
Platform : WINDOWS
Issue type : Last Reviewed: April 30, 1999