IIS/ASP Security Issue -- Please help!

Someone please help me with this perplexing access problem. I've been
struggling all day with it. Here's the scenario: Windows 2003, IIS6,
running Classic ASP application, with basic authentication against our
domain. I've given "engineering users" access to the wwwroot for the site.
So fine, they can access the ASP pages in the site, no problem. However, I
want to give another group "sales group" (same domain) access to just a
certain subfolder of the site (but not the rest of the site). So I added
their group to the subfolder ACL. However, they cannot access the ASP files
in that subfolder (401.3 error) unless I grant them access to the wwroot
(parent) folder, which I don't want to do. What's strange is that they can
access HTML or ASPX files in their subfolder. Just not ASP. Something
about ASP files that wants to look at the wwwroot ACL. I tried to limit
their wwwroot level access, like just granting traverse and list access, but
IIS wants full read access on the root, propagated down. Any ideas how to
fix this while keeping the security tight? Thanks!

On Feb 1, 4:10*pm, "Paul" <pstah...@yahoo.com> wrote:
> Someone please help me with this perplexing access problem. *I've been
> struggling all day with it. *Here's the scenario: Windows 2003, IIS6,
> running Classic ASP application, with basic authentication against our
> domain. *I've given "engineering users" access to the wwwroot for the site.
> So fine, they can access the ASP pages in the site, no problem. *However, I
> want to give another group "sales group" (same domain) access to just a
> certain subfolder of the site (but not the rest of the site). *So I added
> their group to the subfolder ACL. *However, they cannot access the ASP files
> in that subfolder (401.3 error) unless I grant them access to the wwroot
> (parent) folder, which I don't want to do. *What's strange is that they can
> access HTML or ASPX files in their subfolder. *Just not ASP. *Something
> about ASP files that wants to look at the wwwroot ACL. *I tried to limit
> their wwwroot level access, like just granting traverse and list access, but
> IIS wants full read access on the root, propagated down. *Any ideas how to
> fix this while keeping the security tight? *Thanks!

Is there anything in the .ASP pages that are trying to access files
outside the sub directory you have given access to them?

Larry

No, even if I put an empty.asp file there, it still exhibits the problem.

"daKernel" <heintz.larry@gmail.com> wrote in message
news:ecc17d5d-d247-4870-b49b-7edfa857cae2@m34g2000hsf.googlegroups.com...
On Feb 1, 4:10 pm, "Paul" <pstah...@yahoo.com> wrote:
> Someone please help me with this perplexing access problem. I've been
> struggling all day with it. Here's the scenario: Windows 2003, IIS6,
> running Classic ASP application, with basic authentication against our
> domain. I've given "engineering users" access to the wwwroot for the site.
> So fine, they can access the ASP pages in the site, no problem. However, I
> want to give another group "sales group" (same domain) access to just a
> certain subfolder of the site (but not the rest of the site). So I added
> their group to the subfolder ACL. However, they cannot access the ASP
> files
> in that subfolder (401.3 error) unless I grant them access to the wwroot
> (parent) folder, which I don't want to do. What's strange is that they can
> access HTML or ASPX files in their subfolder. Just not ASP. Something
> about ASP files that wants to look at the wwwroot ACL. I tried to limit
> their wwwroot level access, like just granting traverse and list access,
> but
> IIS wants full read access on the root, propagated down. Any ideas how to
> fix this while keeping the security tight? Thanks!

Is there anything in the .ASP pages that are trying to access files
outside the sub directory you have given access to them?

Larry

On Feb 6, 1:19*am, "Paul" <pstah...@yahoo.com> wrote:
> No, even if I put an empty.asp file there, it still exhibits the problem.
>
> "daKernel" <heintz.la...@gmail.com> wrote in message
>
> news:ecc17d5d-d247-4870-b49b-7edfa857cae2@m34g2000hsf.googlegroups.com...
> On Feb 1, 4:10 pm, "Paul" <pstah...@yahoo.com> wrote:
>
>
>
>
>
> > Someone please help me with this perplexing access problem. I've been
> > struggling all day with it. Here's the scenario: Windows 2003, IIS6,
> > running Classic ASP application, with basic authentication against our
> > domain. I've given "engineering users" access to the wwwroot for the site.
> > So fine, they can access the ASP pages in the site, no problem. However,I
> > want to give another group "sales group" (same domain) access to just a
> > certain subfolder of the site (but not the rest of the site). So I added
> > their group to the subfolder ACL. However, they cannot access the ASP
> > files
> > in that subfolder (401.3 error) unless I grant them access to the wwroot
> > (parent) folder, which I don't want to do. What's strange is that they can
> > access HTML or ASPX files in their subfolder. Just not ASP. Something
> > about ASP files that wants to look at the wwwroot ACL. I tried to limit
> > their wwwroot level access, like just granting traverse and list access,
> > but
> > IIS wants full read access on the root, propagated down. Any ideas how to
> > fix this while keeping the security tight? Thanks!
>
> Is there anything in the .ASP pages that are trying to access files
> outside the sub directory you have given access to them?
>
> Larry- Hide quoted text -
>
> - Show quoted text -

Create a virtual directory for the directory you want to give them
access to and see if that resolves the issue.

Larry

Problem is that there is more than one directory. It's several spots
throughout. If I knew how to open up just the right security (perhaps on
root only), that would be ideal. Thanks for your help.

"daKernel" <heintz.larry@gmail.com> wrote in message
news:7e14c61c-5723-44bf-a22b-7160c84675ff@j20g2000hsi.googlegroups.com...
On Feb 6, 1:19 am, "Paul" <pstah...@yahoo.com> wrote:
> No, even if I put an empty.asp file there, it still exhibits the problem.
>
> "daKernel" <heintz.la...@gmail.com> wrote in message
>
> news:ecc17d5d-d247-4870-b49b-7edfa857cae2@m34g2000hsf.googlegroups.com...
> On Feb 1, 4:10 pm, "Paul" <pstah...@yahoo.com> wrote:
>
>
>
>
>
> > Someone please help me with this perplexing access problem. I've been
> > struggling all day with it. Here's the scenario: Windows 2003, IIS6,
> > running Classic ASP application, with basic authentication against our
> > domain. I've given "engineering users" access to the wwwroot for the
> > site.
> > So fine, they can access the ASP pages in the site, no problem. However,
> > I
> > want to give another group "sales group" (same domain) access to just a
> > certain subfolder of the site (but not the rest of the site). So I added
> > their group to the subfolder ACL. However, they cannot access the ASP
> > files
> > in that subfolder (401.3 error) unless I grant them access to the wwroot
> > (parent) folder, which I don't want to do. What's strange is that they
> > can
> > access HTML or ASPX files in their subfolder. Just not ASP. Something
> > about ASP files that wants to look at the wwwroot ACL. I tried to limit
> > their wwwroot level access, like just granting traverse and list access,
> > but
> > IIS wants full read access on the root, propagated down. Any ideas how
> > to
> > fix this while keeping the security tight? Thanks!
>
> Is there anything in the .ASP pages that are trying to access files
> outside the sub directory you have given access to them?
>
> Larry- Hide quoted text -
>
> - Show quoted text -

Create a virtual directory for the directory you want to give them
access to and see if that resolves the issue.

Larry