In a shared hosting environment with multiple sites/domains each site requires the aspnet_wp account at least read access to each sites folder structure in order to run asp.NET. However, this poses a security problem in how do you prevent scripts running on one site from reading files and folder information on another site?

Traditionally with IIS5 and asp you could create an anonymous account for each site and tie down file security quite tightly by removing IUSR_machine access from all folder and files and setting the anonymous user to the sites anonymous account within IIS.

How can this be acheived in Win2k IIS5 non domain controllor? As it stands it's a big security risk.

I wonder just the same.
Any MS people or someone else that "know how to do it" answer this or point us to articles about it.
I have searched on www.iisfaq.com and www.iisadministrator.com with no results

hope for a sooooon answer :e

cya all
/PatrikB

Hello

My answer is a bit late, but it might still be relevant:

Read these posts (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624) and (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023) and download the latest version of our Open Souce Asp.Net Security Analyser (it also contains the IIS 5.0 security guide with detailed instructions on how to solve this problem)

Read this post to see what I have done so far to call microsoft's attention to this problem "When will Microsoft take Asp.Net Security seriously?" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723)

Best regards