Setting IIS Web Site Permissions

Applies To: Windows Server 2003, Windows Server 2003 with SP1

In IIS 6.0, you can set Web site permissions, which allow you to control access to a Web site or virtual directory. IIS examines Web site permissions to determine which type of action can occur, such as accessing the source code of a script or browsing folders.

Use Web site permissions in conjunction with NTFS permissions, not in place of NTFS permissions. You can set Web site permissions for specific sites, directories, and files. Unlike NTFS permissions, Web site permissions affect everyone who tries to access your Web site.


If Web site permissions conflict with NTFS permissions for a directory or file, the more restrictive settings are applied.

Table 3.8 lists and describes the Web site permissions that are supported by IIS 6.0.

Table 3.8 Web Site Permissions That Are Supported by IIS 6.0

Permission Description


Users can view the content and properties of directories or files. This permission is set by default. This permission is required for Web sites that have static content. If all of your content is scripted, such as a Web site that only uses Active Server Pages (ASP) content, you can remove the Read permission.


Users can change content and properties of directories or files.

Script Source Access

Users can access source files. If the Read permission is set, then users can read source files; if the Write permission is set, then users can modify the content and properties of the source files. The Script Source Access permission also applies to the source code for scripts. This option is not available if both the Read and Write permissions are not set.

Set this permission only when using Web Distributed Authoring and Versioning (WebDAV). In addition, make sure that you require authentication for this site and that your file permissions are set correctly.

When you set the Script Source Access permission, users might be able to view sensitive information, such as a user name and password. Users might also be able to change source code that runs on your server, and seriously affect the security and performance of your server.

Directory browsing

Users can view file lists and collections.

Log visits

A log entry is created for each visit to the Web site. As an operational security practice, it is highly recommend that you enable logging.

Index this resource

Indexing Service can index this resource. This allows searches to be performed on the resource.


Users have the appropriate level of script execution:

  • None. Does not allow scripts or executables to run on the server.

  • Scripts only. Allows only scripts to run on the server.

  • Scripts and Executables. Allows both scripts and executables to run on the server.

For information about how to set Web site permissions, see Configure Web Site Permissions.