I am making a small file hosting website, and each user can upload multiple files, and will have access to just his files and can't access others files, for example by guessing the URL.
Is there a way to secure files to have access by just the owner and no body else "may be website administrator also will have access"
Update if you can show me example, code sample or demo that will be great.
You need to store files in a directory not served by IIS, then make a script that takes a file ID, validates that the user has access, and returns the contents of the file.
If each user has their own folder in which to upload files then you can use web.config to only allow that validate user access to their own folder. If that's not the case then I'd imagine you'd need to put a layer (data driven) between the requester and the file that would validate access before serving the file.
This depends on whether this is an internet or internal intranet application. If it is internal, and using windows authentication or active directory authentication, then you could protect the files using file based permissions.
If it is an external internet application, then you will have to develop some logic to protect your files. Let's assume that your Authentication is robust - you can accurately confirm that a user is who they say they are. What you need now is an Authorisation system - something that determines what an identified user can access.
Let's assume that you have an id for user 101. You could prepend 101_ to the start of filenames that only that user could access. 101_report.pdf fopr example. You would need to write some code to prevent serving out files prefixed with the wrong id. (you could remove the 101_ after you have done the Authorisation check if you don't want your users to see it, or you could store all of the user's files in a folder called 101).
If you want files accessible to multiple users, you will have to develop a way of linking a user to a file and of checking those links each time you display your page. You might want to consider Groups as well if you can logically group users into real world groups that will share a given set of files. But only do this if you are really going to need it as it adds a whole new level of complexity.
One common way to implement this is to store the files in a database as binary data. Don't worry about your database getting too big if you are using SQL Server. Binary fields are not stored in the data tables themselves so they don't affect performance. What this would allow you to do is very quickly look up what files the logged in user has access to using quick database joins. Then stream out the data in a response stream when the user requests a particular file (after another check of course - you can't be too careful).