I'm using IIS 5.0 on Windows 2000 with Service Pack 1 (SP1). To increase security, I'm trying to change the IUSR_servername account. When I delete this account, it reappears after I reboot the system. Have I discovered a bug?

You've discovered an undocumented feature that is new to IIS 5.0. Even if you rename the account, a new one will still appear after reboot. Microsoft documentation doesn't explain why this "feature" is implemented, and it's barely referenced in the README file installed with IIS. The only workaround is to create another account for Anonymous access that doesn't have IUSR in the name.

Every day, my company downloads Adobe Acrobat Portable Document Format (PDF) files to clients. Can we stream the PDF files so that the clients can view the files as they download?

Yes, you can. PDF files are extremely useful for displaying precise renditions of online content, such as software documentation, custom reports, and even entire books. Unfortunately, Web servers and Web browsers don't natively support PDF files. Consequently, you need specialized software—Adobe Acrobat—to create and read PDF files.

Acrobat Reader is free, and installation is easy—there are no user-adjustable parameters. After you complete the Acrobat installation, Acrobat Reader integrates with Microsoft Internet Explorer (IE) and is automatically called when you download a PDF file. Acrobat Reader is aptly named: It provides a read-only rendition of the PDF file that you can't modify in any way. This feature has obvious appeal to online publishers.

Acrobat Reader lets you view PDF files, but to create them, you must buy and install the full version of Acrobat. To create a PDF file in Acrobat, you simply copy the document onto the Acrobat icon, then print to a Monitored folder for automatic conversion or select Create Adobe PDF from a Microsoft Office application's File menu. Your PDF document will look the same on Windows, UNIX, and Macintosh systems.

Many companies use IIS as a vehicle to deliver PDF files to clients. Acrobat 4.0 includes a Save option called Optimize that lets you deliver PDF files one page at a time. To enable this functionality, click Save As and select the Optimize check box. If you don't select this option, clients must wait for the entire document to download. For more information about the Optimize feature, go to Adobe's Web site and search for byteserving.

Delivering prebuilt PDF files to clients isn't your only option. You can also develop PDF files on the fly. ActivePDF produces a set of server-side utilities that let you dynamically generate PDF files from Active Server Pages (ASP) or Cold Fusion. This capability lets you dynamically generate PDF files instead of simply delivering static files. This concept is similar to ASP versus HTML. Using ActivePDF, you can use write scripts to query a database and output results to a PDF file, which you then download and read into Acrobat Reader. You can find similar utilities at http://www.pdflib.com.

Finally, I'd be remiss if I didn't point out one more area in which PDF files concern IIS administrators. For Web sites with a volume of content, using Microsoft Index Server is a common way to provide search capabilities. Index Server will automatically index HTML and Office documents and provides a high-speed search engine with built-in interfaces to IIS. Natively, Index Server doesn't support searches for content that PDF files contain. To address this problem, Adobe has created an Index Server "filter" that enables Index Server to include PDF documents in the query returns. You can download the filter from http://www.adobe.com/support/downloads/8122.htm.

After installing IIS 5.0, I discovered that the option to create new Web sites is missing from the New Tasks menu, which I accessed by right-clicking the server name in Internet Services Manager (ISM). IIS 5.0 is supposed to support multiple Web sites. How can I create a new Web site when the menu item is missing?

When you install the Microsoft Windows NT 4.0 Option Pack on NT Workstation 4.0 or Windows 9x, you get Personal Web Server. PWS is basically a scaled-down version of IIS 4.0 that you can use to develop ASP files.

IIS 5.0 is integrated with Win2K, so you'll find IIS 5.0 on both the Win2K Server and Win2K Professional CD-ROMs. Now, however, when you install IIS 5.0 on Win2K Pro, you don't get PWS. Instead, you get a Web server called IIS 5.0. This discrepancy is confusing because many people incorrectly assume that the Win2K Server and Win2K Pro versions of IIS 5.0 offer the same features. This mistake is understandable because the servers have the same name, but they're not at all the same. One limitation of the Win2K Pro version of IIS 5.0 is that you can't create more than one Web site. Therefore, my guess is that you installed IIS 5.0 on Win2K Pro and expected to see a full-featured package. An IIS 5.0 implementation under Win2K Pro contains these additional limitations:

  • You're limited to 10 simultaneous connections. Because a request to download a page can require multiple TCP sessions, this limitation actually translates to 40 connections.
  • The Operators tab is unavailable. The Operators tab lets you specify which groups or users can administer a Web site. Because Win2K Pro isn't a server and doesn't support multiple Web sites, this features is unnecessary.
  • You can't limit access based on IP address or domain name.
  • On the Performance tab, you can't enable bandwidth throttling or process throttling. Therefore, you can't select the Enforce limits check box.
  • Browser-based administration is unavailable because IIS 5.0 under Win2K Pro doesn't support the use of multiple virtual Web servers. A virtual web site is required to support the browser-based administrative tools.

When you install IIS 5.0 on Win2K Pro, the Internet Services Manager menu item doesn't even load onto the Administrative Tools menu (as it does under Win2K Server). You must create a Microsoft Management Console (MMC) console and load the Internet Information Services snap-in (i.e., iis.msc) from \%systemroot%\system32\inetsrv. You can, however, use the Personal Web Manager (which you access from the Administrative Tools menu) to administer IIS 5.0 under Win2K Pro.

Another word of warning regarding IIS 5.0 and Win2K Pro: Many developers are creating complex systems that work fine on PWS or IIS 5.0 under Win2K Pro. However, after the developers migrate these systems to the Win2K Server environment, they experience difficulties with ODBC, permissions, ASP, and other environmental aspects. I get questions such as, "My application works fine on Win95 PWS, so what's wrong with Win2K Server?" My response is, "What's wrong with your development process if you're developing applications in an environment they aren't designed for?" Of course, writing code on a system that is compatible with the expected target environment is acceptable, but that kind of development process must include a transition phase. In a move from a workstation environment to a server environment, you can expect to encounter some differences.

When a user contacts an IIS server and requests a Web page, the IIS server reveals its IP address in the HTTP conversation between the Web server and the user. For security reasons, my company goes to great lengths to keep internal network addresses invisible. Can I change this IIS behavior?

In some cases—but not all—IIS returns the IP address. The Microsoft article "Internet Information Server Returns IP Address in HTTP Header (Content-Location)," http://support.microsoft.com/support/ kb/articles/q218/1/80.asp, states that IIS exposes the IP address only when you deliver static HTML content. In that event, IIS delivers a response such as what Figure 1 shows.

In this response, you can clearly see the server's internal IP address. To change this behavior, you can add an entry to the metabase. In the \winnt\system32\inetsrv\adminsamples directory, type

adsutil set w3svc/UseHostName True

at a command prompt. Then, press Enter. This procedure adds the necessary entry to the metabase. Be sure to back up the metabase before the modification, and stop and start the Web server afterward. (This modification works on IIS 5.0 and IIS 4.0.) Instead of the previous response, IIS will return the response that Figure 2 shows.

I installed IIS 5.0 on my company's Win2K Server machine. Now, users can't change their passwords over the intranet, as they could under IIS 4.0. How can I regain this capability, which is important in the company's installation?

A clean installation of IIS 5.0 gives you the ability to change passwords, but because of the security risk involved with users changing account passwords over your intranet or the Internet, IIS 5.0 doesn't enable the feature by default (as IIS 4.0 does). To enable this capability, you need to create an IISADMPWD virtual folder and add a metabase entry. (If you're upgrading from IIS 4.0 to IIS 5.0, you won't need to perform these steps.) Before you make any changes, you should stop and start the Web service and back up the metabase.

First, select the Web site you want to contain the virtual directory that will point to the IIS-installed programs permitting users to change passwords. For example, you can use the Default Web Site, which IIS 4.0 uses. Second, to make the change to the metabase, in the \winnt\system32\inetsrv\adminsamples directory, type

adsutil set w3svc/1/PasswordChangeFlags 1

at a command prompt. Then, press Enter. Users should now be able to change their passwords. For more information about virtual directories and clean IIS 5.0 installation, see the Microsoft article "IISADMPWD Virtual Directory Is Not Created During Clean Install of IIS 5.0" (http://support.microsoft.com/support/kb/ articles/q269/0/82.asp).