From: NZ Jimmy on
I have a page in an ASP.NET web application that includes an external
javascript file using a fairly basic script tag:

<script src="DispatchRuleControl.js" type="text/javascript"></script>

When running the application on the ASP.NET internal webserver everything
works fine. When I try to host it on IIS7 however, access to the
DispatchRuleControl.js file is denied and the request for the js file results
in a redirect to the login page.

In the directory where the offending *.js file
is located, I have an ASP.NET web.config file that contains the following:

<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>

If I replace that <deny users="*" /> with a <deny users="?" /> then I can
get at the javascript file just fine. HOWEVER that also means that logged in
non administrative users can then access all of the files in this directory
(definitely not what I want).

If I leave <deny users="*" /> then when I'm logged in as an administrator I
can get at any *.aspx and *.ascx files in that directory, but not any *.js
files ???

Again, this ONLY happens when hosting the Web Application in IIS 7 - when
hosting on the Visual Studio internal web server everything runs fine.

Any ideas?

Jimmy

NOTE: I posted a similar thread in the IIS Security ng, but I'm becoming
more and more convinced this is an ASP.NET issue and not an IIS one... the
fact that the behaviour is altered by modifying settings in the
<authorization> section of the web.config are a definite clue...