We have an IIS7 intranet site running under integrated pipeline that is mostly ASP.Net with a few legacy classic ASP pages. The site allows anonymous access to most areas, but uses Windows Authentication to protect certain folders. Requests to ASP.Net pages in the protected folders behave as expected (authorized users can see them, others are denied), but any user can see any classic ASP page in the protected folders, regardless of permissions.
I suspect the windows authentication module is not being invoked for requests to classic ASP pages. We're running in integrated pipeline mode, and I found this article (http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/) which indicates that you need to explicitly remove and re-add modules if you want to take advantage of the integrated pipeline for non-ASP.Net requests. I tried to copy the article's example only replacing FormsAuthenticationModule with WindowsAuthenticationModule by adding the following to the web.config at the application root:
<system.webServer>
<modules>
<remove name="WindowsAuthentication" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="" />
</modules>
</system.webServer>
However, classic ASP pages are still being served regardless of permission.
Best Answer
Classic ASP pages totally ignore
web.configor any.configactually.The only way to handle this for classic ASP is through IIS, you will have to move the classic ASP pages to be under separate virtual website then for that virtual website set Windows Authentication and disable Anonymous Access.
This might help you as well:
IIS7: Setup Integrated Windows Authentication like in IIS6