ASP.NET + IIS6: whitelist users via authorization section in web.config

Question

Consider an IIS6 Application under a web site:

• Windows authentication is enabled.
• anonymous is off

This is an ASP.NET MVC application with Areas. The root web.config has the authentication and authorization nodes as follows:

<authentication mode="Windows"></authentication>

<authorization> 
    <allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>   
</authorization>

My identity is NOT in the list of allowed users. Entering the URL in the browser, I can view and navigate to all the pages within. I know I am being authorized properly, as my Active Directory name is displayed on the site.

Problem: I am given access to the site.

Question: Using the web.config, how can I restrict users based on their Windows credentials to this IIS6 Application?

Answer 1

Try this:

<authorization> 
    <allow users="domain\abc, domain\xyz, domain\foo, domain\bar"/>   
    <deny users="*"/>
</authorization>

Answer 2

How about adding a deny section behind the allow one?

<deny users="*" />