IIS 7.5/ASP.NET - Anonymous access to everything except one directory - how?

Question

We're in the process of upgrading from IIS 6 and .NET 3.5 to IIS 7.5 (Windows Server 2008 R2 Enterprise) with the same application. I'm having trouble getting our previous IIS 6 setup to work correctly.

Under IIS 6, I could set the website itself to use a specific domain user (e.g. ourdomain\webuser) for IIS itself. This controlled initial access to all files, including HTML, images, etc. and formed the initial request that went to an ASP.NET page wherein then the .NET engine took over and the user running .NET was another domain user (e.g. ourdomain\dotnetuser). We would then yank all NTFS permissions from one folder (e.g. /lockdown/) for the IIS user, ourdomain\webuser. Anytime someone tried to access a file in that directory, IIS said "No access, kick into Windows authentication access" and prompt them for credentials. This still caused any underlying .NET code to run as ourdomain\dotnetuser.

I'm having trouble getting this same setup to work under IIS 7.5 and am sure that it's just some dumb oversight thing. It...wants to work but doesn't completely. Here's what I've done:

The application pool for the site is set to .NET Framework v2.0.50727 with "Integrated" selected as the managed pipeline mode option. Then the identity is set to ourdomain\dotnetuser so that the pool runs as that specific user.

The website is setup to IIS > Authentication to connect as "ourdomain\webuser" and all seems to be well. The trouble is when I go to this special /lockdown/ directory. I tried to set it up exactly the same way as IIS 6 (by simply removing access to that folder from ourdomain\webuser). When I do this, I do get the standard prompt for access, but after providing my credentials, I still get:

Error message 401.3: You do not have permission to view this directory 
or page using the credentials you supplied (access denied due to Access 
Control Lists). Ask the Web server's administrator to give you access to 
'C:\ourwebsite\lockdown\default.aspx'.

My account is in the local administrators group on this machine (plus I'm a domain admin here) and the Administrators group has been given full access to this folder. I see the following as an "Information" event in the Application Event Viewer:

Event code: 4008 
Event message: File authorization failed for the request. 
Event time: 8/1/2010 8:45:18 AM 
Event time (UTC): 8/1/2010 12:45:18 PM 
Event ID: 0f8a5de692e74e67bb4e3c65a867586c 
Event sequence: 32 
Event occurrence: 1 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/1/ROOT-1-129251371048714102 
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: C:\ourwebsite\ 
    Machine name: TESTWEB3 

Process information: 
    Process ID: 3008 
    Process name: w3wp.exe 
    Account name: ourdomain\dotnetuser 

Request information: 
    Request URL: http://localhost/lockdown/default.aspx 
    Request path: /lockdown/default.aspx 
    User host address: ::1 
    User: ourdomain\myuser 
    Is authenticated: True 
    Authentication Type: Negotiate 
    Thread account name: ourdomain\dotnetuser

Any suggestions or ideas here?

Answer 1

You could use Authorization rules for that, just create a web.config inside the driectory you want to protect with the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Deny" users="?" />
                <add accessType="Allow" roles="Administrators" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

This will prevent the access to anonymous users and only allow users from the Admnistrators group. you can use Roles or users for this.

Answer 2

On Windows Server 2008 R2 with IIS 7.5 you need to execute Windows Explorer run as Administrator by right clicking it to get admin privileges to modify anything in that folder. Add the application pool identity to the ACL of the c:\inetpub\wwwroot... folder with read and execute permissions.