Microsoft KB Archive/325358

= HOW TO: Configure User and Group Access on an Intranet in Windows 2000 or Windows NT 4.0 =

Article ID: 325358

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Standard Edition
 * Microsoft Windows NT 4.0

-



This article was previously published under Q325358



IN THIS TASK
SUMMARY Change the NTFS Permissions for a File or Folder
 * For Windows 2000
 * For Windows NT 4.0

Change the Virtual Directory or File Security
 * List of Access Control Options
 * Notes

REFERENCES



SUMMARY
This step-by-step article describes how to configure user and group access on an intranet server. The World Wide Web (WWW) and File Transfer Protocol (FTP) services that are included with Microsoft Internet Information Server (also known as IIS) on Windows 4.0 and Microsoft Internet Information Services (also known as IIS) on Windows 2000 are fully integrated with Windows 2000 user accounts and file access permissions.

Every access to a resource (for example, a file, an HTML page, or an Internet Server API [ISAPI] program) is performed by the services on behalf of a Windows user. The service impersonates the user by supplying a user name and password when it tries to read or run the resource for the client.

back to the top

Change the NTFS Permissions for a File or Folder
To change the NTFS file system permissions for a file or folder, perform the procedure that is described in one of the following sections.

For Windows 2000

 * 1) Click Start, point to Programs, point to Accessories, and then click Windows Explorer.
 * 2) Locate the file or folder for which you want to set permissions.
 * 3) Right-click the file or folder, click Properties, and then click the Security tab.
 * 4) To set up permissions for a new group or user, click Add, type the name of the group or user for which you want to set permissions (use the  \  format), and then click OK.
 * 5) To change or remove permissions from an existing group or user, click the name of the group or user.
 * 6) In Permissions, click Allow or Deny for each permission that you want to allow or deny.

Alternatively, to remove the group or user from the permissions list, click Remove.

NOTE: The Deny permission takes precedence over the Allow permission. If you apply Deny permissions to the Everyone group, the resource may be closed to that level of access by anyone, including the administrator.

For more information about how to change permissions in Windows, see the &quot;Permissions&quot; Help topic in Windows Help.

back to the top

For Windows NT 4.0

 * 1) Click Start, point to Programs, point to Accessories, and then click Windows Explorer.
 * 2) Right-click the file or folder for which you want to set permissions, click Properties, click the Security tab, and then click Permissions.
 * 3) To set up permissions for a new group or user, click Add, type the name of the group or user for which you want to set permissions (use the  \  format), select the type of access that you want to assign, and then click OK.
 * 4) To change permissions for an existing group or user, click the name of the group or user, select the type of access that you want to assign in Permissions, and then click OK.
 * 5) To remove the group or user from the permissions list, click Remove.

NOTE: The No Access permission takes precedence over other permissions. If you grant the No Access permissions to the Everyone group, the resource may be closed to that level of access by anyone, including the administrator.

For more information about how to change permissions in Windows, see the &quot;Permissions&quot; Help topic in Windows Help.

back to the top

Change the Virtual Directory or File Security
To change the virtual directory or file security:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
 * 2) In the Internet Information Services snap-in, right-click a virtual directory, a folder, or a file, and then click Properties.
 * 3) On the Virtual Directory tab, the Directory tab, or the File tab (as appropriate), click the access control options that you want to use.

For example, right-click the Scripts virtual directory of the Default Web Site entry, and then click Properties. Click the Virtual Directory tab, and then change the access control options.

You can also use Internet Information Server or Internet Information Services virtual directory access control combined with NTFS access permissions to configure access to specific files in a Web site. After a user is authenticated for the Internet Information Server or Internet Information Services virtual directory, Internet Information Server or Internet Information Services uses the context of the requesting user to gain access to the NTFS file based on the user account, the user rights policy, and the file permissions.

back to the top

List of Access Control Options
The following list describes the access control options:
 * Script Source Access: Use this option to allow users to access source code if either Read permissions or Write permissions are set. Source code includes scripts in Active Server Pages (ASP) programs.

NOTE: When you use the Script Source Access option, users may be able to view sensitive information, such as a user name and password, from the scripts in an ASP program. They can also change source code that runs on your server, which may seriously affect your server's security and performance. Access to this type of information and functions is best handled through individual Windows accounts and higher-level authentication, such as integrated Windows authentication.
 * Read: Use this option to allow users to read or download files or folders and their associated properties.
 * Write: Use this option to allow users to upload files and their associated properties to the enabled folder on your server or to change the content in a write-enabled file. Writing can be performed only with a browser that supports the PUT feature of the Hypertext Transfer Protocol (HTTP) 1.1 protocol standard.
 * Directory Browsing: Use this option to allow users to see a hypertext listing of the files and subfolders in this virtual directory. Virtual directories do not appear in directory listings; users must know a virtual directory's alias.

NOTE: The Web server displays an &quot;Access Forbidden&quot; error message in your Web browser if you try to access a file or folder and both of the following conditions are true:
 * Directory browsing is turned off.
 * You do not specify a file name, such as .htm.
 * Log Visits: Use this option to record visits to this folder in a log file. Visits are recorded only if logging is turned on for this Web site.
 * Index This Resource: Use this option to allow Microsoft Indexing Service to include this folder in a full-text index of your Web site.

back to the top