Outside of authentication, the most common way to secure the contents of your Web site is through the use of permissions. As you learned earlier, the Home Directory tab in the properties of a Web site includes a section with 4 permissions listed: Script source access, Read, Write, and Directory browsing. By default, only the Read permission is enabled, which allows users to view a Web page, but not change it. If the Write permission is enabled, users can change pages via FTP, FrontPage, or similar programs. The Directory browsing permission is one that you may be familiar with from surfing the Web – when enabled, a user can view a listing of all files stored in a directory, and click on hyperlinks to access them – an example is shown below. Finally, the script source access permission allows scripts stored in a directory to be run. Most commonly, this permission is enabled for directories dedicated to holding scripts, such as a CGI-BIN folder. As a general rule, leave the permissions for a site set to Read, unless you specifically want to use a feature like Directory browsing, since it’s much safer setting for your pages and will apply to all users who connect to your server.
In much the same way that NTFS permissions can be used to secure local files and folders on your system, they can also be used to obtain a more granular level of control over who can connect to certain Web site directories or files. For example, if you access the Security tab in the properties of a file or folder under C:\Inetpub\wwwroot, you can configure specific permissions for different user or group accounts that you may have created. As a general rule, use IIS permissions as your first line of security, and use NTFS permissions for more control when necessary. Of course, your Web site will need to be stored on an NTFS partition to be able to make use of these permissions.