While setting up Web-based permissions through the Microsoft Management Console (MMC) Internet Information Services snap-in, I've noticed that the Read permission doesn't seem to work. With the exception of the Scripts and Scripts and Executables permissions, which are required, scripts are delivered regardless of how I set the permissions. How are these permissions supposed to work?
Indeed, what I call the Web-based permissions, which you set in a Web site's Properties dialog box, as Figure 3, page 7, shows, and which are different from NTFS permissions, behave somewhat unexpectedly. IIS applies these permissions at the application level, so it's free to implement its own set of rules to govern exactly how the permissions work.
You can access a Web server in several different ways. For example, you can use a Web browser, a Web folder (i.e., WWW Distributed Authoring and Versioning—WebDAV), or Microsoft FrontPage. Each method has different rules about how the Web-based permissions are enforced:
- Read/Write Permission—This permission applies to the static content that a Web browser delivers. Static content refers to any file that doesn't have an established application mapping (e.g., .asp, .idc). The term also applies to WebDAV access because regardless of file type, you can't read or write to a Web folder unless the permissions specifically allow it. As you've discovered, these rules don't apply to scripts that you run from a browser. You can run scripts and they can write to the drive regardless of the permission settings.
- Script Source Access—This permission doesn't behave as the documentation says it should. As far as I can tell, this permission lets you use WebDAV to read the script source instead of run the script. Also, if you don't select this option, you can't use WebDAV to write scripts to the Web server.
- List Folder Contents (Directory Browsing in IIS 5.0)—This setting behaves more or less the way it sounds. When set, if you access a site or directory but haven't specifically requested a file and a default document is either not defined or not found, then the Web server returns a file listing similar to an FTP listing (if you're using Microsoft Internet Explorer—IE).
I haven't referred to FrontPage in these descriptions because it uses its own set of rules to interact with the server and has settings such as Allow author to upload executables, which can make describing how these permissions work rather complicated.