Microsoft KB Archive/324333

= PRB: 401 Error message if user is not included in the Bypass Traversal Checking policy =

Article ID: 324333

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q324333



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When you connect to any page on an Internet Information Services (IIS) Web site, you may receive the following error message:

401.3 Unauthorized due to ACL on resource



CAUSE
This can occur if the account that is trying to access resources on the server does not have enough NTFS file system permissions on the resource.



RESOLUTION
Do not remove the Everyone group from the Bypass Traverse Checking policy. If the Everyone group must be removed from the policy for security reasons, make sure that the IUSR account is listed in the policy.



STATUS
This behavior is by design.



Steps to reproduce the behavior
 Tighten the NTFS permissions on the resource. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

271071 Minimum NTFS permissions required for IIS 5.0 to work

 Remove Everyone from the local Bypass Traverse Checking security policy. Try to access a simple HTML page on IIS. You receive the 401.3 error message.

