Disabling Anonymous Access
I showed you how to give yourself Full Control permission on the wwwroot
folder to make it easier (and in some cases possible) to add and edit
content in that folder. When you access your website on the IIS computer
using the http://localhost/, http://127.0.0.1/, or http://Computer/ addresses (where Computer
is the name of the IIS computer), you access the site using your own
user account. Everyone else on your network, and anyone who surfs to
your site from the Internet (including you if you navigate to the site
using http://IPAddress/, where IPAddress
is your router’s external IP address) accesses the site as an anonymous
user. This means that IIS gives the person read-only access to the site
without requiring a username and password, a technique called anonymous authentication.
However, you may have
content that you want to restrict to people who have user accounts on
Windows 7. In that case, you need to disable anonymous access for the
website and switch to basic authentication, which means IIS prompts each user for a username and password before allowing access to the site.
Follow these steps to disable anonymous access:
1. | Open IIS Manager.
|
2. | Open the Computer, Sites branch (where Computer is the name of the computer running IIS).
|
3. | If
you want to disable anonymous authentication on the entire site, select
Default Web Site; if you want to disable anonymous authentication only
on a specific folder within the site, open the Default Web Site branch
and select the folder.
|
4. | Click Features View.
|
5. | Double-click the Authentication icon to display the Authentication page.
|
6. | Select Anonymous Authentication.
|
7. | In the Actions pane, click the Disable link.
|
8. | Select Basic Authentication.
|
9. | In the Actions pane, click the Enable link. The Authentication page should now appear as shown in Figure 6.
|
10. | Click the Back button to return to the website’s main page in IIS Manager.
|
When an anonymous
user attempts to access your website or website folder, he sees a
Connect dialog box similar to the one shown in Figure 7. The user must enter a username and password for an account that exists on the Windows 7 machine that’s running IIS.
Tip
Switching
to basic authentication means that any user with a valid account on
Windows 7 can access the website. What if there are one or more users
with Windows 7 accounts that you do not
want to view the website? In that case, you must adjust the security of
the website’s home folder directly. Use Windows Explorer to display the
website’s home folder, right-click the folder, and then click
Properties. In the Security tab, click Edit, click Add, type the name of
the user, and then click OK. Select the user, and then activate the
Full Control check box in the Deny column. This tells Windows 7 not to
allow that user to view the folder, thus barring the user from viewing
the website.