Hi
Maybe this can help:
Problem:
========
Want to verify that in a stand-alone server environment I can delete the
"everyone group" for a folder and replace with a "special" group making
this folder only accessable by the users in the "special" group. Thus
keeping all users from having the default (read) permission in the local
network environment.
Resolution:
==========
It is possible.
Reference Link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326214&Product=winsv
r2003
HOW TO: Configure User and Group Access on an Intranet in Windows Server
2003
IN THIS TASK
SUMMARY
This article describes how to configure user and group access on an
intranet in Windows Server 2003.
The World Wide Web (WWW) and File Transfer Protocol (FTP) services that are
included with Microsoft Internet Information Services (IIS) are fully
integrated with Windows Server 2003 user accounts and file access
permissions.
Every access to a resource (for example, a file or an HTML page) is
performed by the service on behalf of a Windows user. The service
impersonates the user by supplying a user name and password in the attempt
to read or run the resource for the client.
To run a secure Web server, you must rigorously control access to Web
content. With Windows and IIS security features, you can effectively
control how users access Web content. NTFS files system permissions control
access to physical directories on the server, and Web permissions control
access to virtual directories on the Web site. You can configure Web
permissions for specific Web sites, folders, and files on your server.
Unlike NTFS permissions, which apply only to a specific user or group of
users with a valid Windows account, Web server permissions apply to all
users who access your Web site regardless of their specific access rights.
By setting Web server permissions combined with Windows NTFS permissions,
you can control how users access your Web content on multiple levels, from
the whole Web site to individual files.
How to Set NTFS Permissions for a File or Folder
To set NTFS permissions for a file or folder:
1. Start Windows Explorer, and then locate the file or folder that you want
to set permissions for.
2. Right-click the file or folder, click Properties, and then click the
Security tab.
3. To configure permissions for a new user or group, click Add. In the
Select Users, Computers, or Groups dialog box, type the name of the user or
group that you want to set permissions for, click Check Names to verify the
name, and then click OK.
4. To permit or deny a permission in the Permissions for User or Group
list, click the user or group in the Group or user names list, and then
click to select the Allow or Deny check box next to the permission that you
want to permit or deny.
Or, to remove the group or user, click the user or group in the Group or
user names list, and then click Remove.
5. Click OK.
How to Set Permissions for Web Content
To set permissions for Web content:
1. Start IIS, or open the Microsoft Management Console (MMC) that contains
the IIS snap-in.
2. Expand ServerName, where ServerName is the name of the server, and then
expand Web Sites.
3. Right-click the Web site, virtual directory, directory, or file that you
want to set permissions for, and then click Properties.
4. Click the Home Directory, Virtual Directory, Directory, or File tab (as
appropriate).
5. Click to select or click to clear any of the following check boxes (if
present), as appropriate to the level of Web permissions that you want to
set:
" Script Source Access: To permit users to access source code, select this
option. Script Source Access includes source code for scripts, such as
scripts in Active Server Pages (ASP)-based programs. Note that this option
is available only if either Read or Write permissions are selected.
NOTE: When you select Script Source Access, users may be able to view
sensitive information, such as a user name and password, from scripts in an
ASP program. They can also change source code that runs on your server,
which can seriously affect the security and performance of your server. It
is best to handle access to these types of information and functions
through individual Windows accounts and higher-level authentication, such
as integrated Windows authentication.
" Read: To permit users to view or download files or folders and their
associated properties, select this option. The Read permissions option is
selected by default.
" Write: To permit users to upload files and their associated properties to
the enabled folder on your server, or to change the content or properties
of a Write-enabled file, select this option.
" Directory browsing: To permit users to view a hypertext listing of the
files and subfolders in this virtual directory, select this option. Note
that virtual directories do not appear in directory listings; users must
know the alias of a particular virtual directory.
NOTE: An "Access Forbidden" error message is displayed by your Web server
in a user's Web browser if the user tries to access a file or folder on
your server when both of the following conditions are true:
" Directory browsing is disabled.
-and-
" The user does not specify a file name, such as Filename.htm in the
Uniform Resource Locator (URL).
" Log visits: To record visits to this folder in a log file, select this
option. A log entry is recorded only if logging is enabled for the Web
site.
" Index this resource: To permit Microsoft Indexing Service to include this
folder in a full-text index of the Web site, use this option. This permits
users to perform queries on this resource.
6. Click OK, and then quit IIS Manager, or close the IIS snap-in.
NOTES:
When you try to change security properties for a Web site or virtual
directory, IIS checks the existing settings on the child nodes (virtual
directories and files) that are contained in that Web site or virtual
directory. If the permissions set at the lower levels are different, IIS
displays an Inheritance Overrides dialog box. To specify which child nodes
should inherit the permissions that you set at the higher level, click the
node or nodes in the Child Nodes list, and then click OK. The child node or
nodes inherit the new permissions settings.
If Web permissions and NTFS permissions differ for a folder or a file,
the more restrictive of the two settings is used. For example, if you
assign a folder Write permissions in IIS, and you grant a particular user
group Read permissions in NTFS, those users cannot write files to the
folder because the Read permissions setting is more restrictive.
If you disable Web server permissions (for example, Read permissions) on
a resource, all users are restricted from viewing that resource, regardless
of the NTFS permissions setting that is applied to those users' accounts.
If you enable Web server permissions (for example, Read permissions) on a
resource, all users can view that resource, unless NTFS permissions that
restrict access to it are also applied.
REFERENCES
For additional information about how to configure security for files and
folders, click the following article numbers to view the articles in the
Microsoft Knowledge Base:
325361 HOW TO: Configure Security for Files and Folders on a Network in
Windows Server 2003
For additional information about access control in IIS, see the "Access
Control" section in IIS Help. To do this, start IIS Manager, or open the
MMC that contains the IIS snap-in. In the console tree, right-click
Internet Information Services, and then click Help. Click the Contents tab,
expand Internet Information Services, expand Server Administration Guide,
expand Security, and then click Access Control.
The information in this article applies to:
Microsoft Windows Server 2003, Datacenter Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, 64-Bit Datacenter Edition
Microsoft Windows Server 2003, 64-Bit Enterprise Edition
Microsoft Windows Small Business Server 2003, Standard Edition
Microsoft Windows Small Business Server 2003, Premium Edition
Shilpa Sinha
This posting is provided "AS IS" with no warranties, and confers no rights.
