Blocking parent paths (ASP.NET equivalent)

[RM]

I see this question has been asked but not really fully answered (that I
could find).

All of our domains are on their own drive, such as this

f:\wwwdomain1
f:\wwwdomain2
f:\wwwdomain3

and so on.

If we setup a new domain for someone, say wwwdomain3, provide FTP in
access to an outside person so they can upload their own web-pages, it
seems they can easily write this code...

string[] s = Directory.GetDirectories("c:\\Documents and Settings\\");

And get a listing of all the user directories, or

string[] s = Directory.GetDirectories("f:\\wwwdomain2\\");

and get all the files in another domain we host, and so on...

I am not comfortable with this. It seems there is no [x] Disable Parent
Paths checkbox in IIS for ASP.NET, and it seems they suggest relying on
NTFS permissions to stop this kind of thing. I guess I'm not sure the
most elegant way to make it so "every single public website runs as it's
own user with only access to it's own directory". I know IIS runs as the
IIS_USR, I'm not sure even how to set it up if making it so every domain
in IIS runs as it's own locked down user...

A) Is this really the answer?
B) How do you do it?

Thank you

 

[Wes Henderson]

Are you running IIS 6 by any chance? It introduces "application pools"
where you can assign unique user accounts to web applications.

For example, you could create an application virtual directory on their site
for them to upload asp.net code, and have all that code run under a specific
user account. Configuring it is fairly straightforward.

If you are running IIS 5, I don't know how to do it, or if it is even
possible. I wish you luck, though.

--
Regards,
Wes Henderson

In order to help everyone, please direct all replies to this newsgroup.
This posting is my personal effort to provide help and is not on behalf of
any company.
Also, this posting is provided "AS IS" with no expressed or implied
warranties.