Anonymous Users Have Same Access as Domain Users in IIS

• Microsoft Internet Information Server version 1.0

SYMPTOMS

In Internet Information Server (IIS), you can allow only domain users to access most of the web pages and anonymous users to access specific public web pages using NTFS security permissions. However, you cannot do this if the Internet Information Server is installed on a primary domain controller (PDC).

CAUSE

In IIS, you can allow both anonymous and domain users to access the web pages if you select "allow Anonymous" and "Windows NT Challenge/Response" in WWW Service Properties. You can then use the NTFS security permissions to specify access to the Web server contents. IIS creates a special account called IUSR_<ComputerName> for anonymous logons. However, if you install IIS on a PDC, the IUSR_<ComputerName> account becomes a member of Domain Users. As a result, anonymous users have the same access as the Domain Users.

RESOLUTION

To correct this problem, remove IUSR_<ComputerName> from Domain User global group and add it to the Guest group using User Manager for Domains.

NOTE: Any user account that you create on a PDC automatically becomes a member of the Domain Users group.