I realize the answer to this question is dependent on the specific server used, but curious if people have recommendations on a max file size limit to allow from an ASP.NET web form.
Working for a Printing Company who wants to allow uploads from graphic designers. I know they will exceed whatever limit I give them....
You need to keep your users happy - if they need to upload 16MB+ files, then that's what you have to enable. Talk to them and establish a rough limit if you can, they'll have the best idea of the file sizes involved - try to stick to the smallest, practical value, don't just go straight to 300MB or more. Don't allow multiple uploads in one go either, if you can.
If you only enable uploads from certain pages, you can use a <location> element in your Web.config to increase the upload limit just for those pages / directories, rather than for the entire site - while it wouldn't prevent a DOS attack, it reduces the surface area over which such an attack would be most viable, although you're highly unlikely to encounter such an attack anyway.
eg:
<location path="Upload.aspx">
<system.web>
<httpRuntime maxRequestLength="16384" /> <!-- 16MB -->
</system.web>
</location>
Also, if you are about to deploy your site on IIS7, then keep in mind that IIS7 has its request scanning mechanism that does not allow max. request content length to cross 30MB (by default).
Even if you set maxRequestLength (in web.config) more than 30MB for your web site or web page, IIS7 won't allow uploads bigger than that. You have to configure IIS to increase the default content length limit for the web site. It can be done using following command,
appcmd set config "SiteName" -section:requestFiltering -requestLimits.maxAllowedContentLength:209715200 -commitpath:apphost
I have set the max. content length to 200MB (209715200 bytes) in above example.