Q: What is the easiest way to set up access control restrictions on the content of our intranet websites that are hosted on an IIS 7.0 web server?

A: IIS 7.0 web servers support an access control feature that called URL Authorization that allows you to easily define access to a web site by linking a set of permissions to the site’s URL. You can control access to all content types, including static files and ASP files, based on the user account, group memberships, ASP.NET role membership, and URL of the web resource.

You can set these access restrictions without changing other IIS or NTFS permissions. If you've worked with earlier IIS versions, you've probably been annoyed by the complexity of setting up access control for web resources on the IIS platform. You not only have to take into account the web server-specific permissions (the Read, Write... permissions configurable from the Home Directory tab in an IIS 5.0 and 6.0’s web site’s properties), but also the NTFS-level permissions.

IIS 6.0 provides a similar URL authorization feature, but it isn't well integrated with the web server and requires a complex manual setup procedure. The IIS 6.0 URL authorization mechanism is documented in a Microsoft Knowledge Base article.

Unlike IIS 7.0, IIS 6.0's URL Authorization uses the Authorization Manager (AzMan) access control engine. Note that this old IIS 6.0 mechanism is still around in IIS 7.0, but I advise you to use the new URL authorization.

The IIS 7.0 URL authorization mechanism can be configured from the Authorization Rules Configuration item in the IIS Manager. This configuration item is available in the Features view of the web server and of every website. In the Authorization Rules interface, you can configure simple allow and deny rules for specific Windows user accounts or groups, or ASP.NET roles to control access to a website’s URL. The allow/deny rules can also be fine-tuned based on the use of particular HTTP verbs.

To illustrate how easy it is to set up access restrictions for a website using URL Authorization, try the following example. Create two Windows user accounts, Alice and Bob. Remove the default Allow rule for All Users on the IIS Default Web Site, create an Allow rule for Alice and a Deny rule for Bob, and then try to access the Default Web Site using each account. Your attempt should result in a configuration screen similar to the one in Figure 1, shown here.

Click to expand.

You should also look at the resulting web.config configuration file entries for the authorization rules that are set up in the Alice/Bob example. The content of the web.config file is illustrated in Figure 2, and you can see it's easy to define and edit authorization rules directly in a web site’s configuration file without going through the IIS Manager interface. Also note that you can easily transfer these rules to another web server, which can be helpful in a web farm setup. Simply copy the application’s web.config file to the other servers of the web farm.

Click to expand.