Alex,
you are correct....
.......5 minutes later
I found the following, see snippet below, at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMGlance.asp
I have not tested it yet, but it might be possible to add a new verb like:
<add verb="*" path="*.jpeg" type="System.Web.HttpForbiddenHandler" />
As I said, not sure if this will work, migth be worth a try.
If it does not work, you're still correct Alex
--
Best regards,
Geir Aamodt
geir.aamodt(AT)bekk.no
----------------Snippet start----------------
Map Protected Resources to HttpForbiddenHandler
HTTP handlers are located in Machine.config beneath the <httpHandlers>
element. HTTP handlers are responsible for processing Web requests for
specific file extensions. Remoting should not be enabled on front-end Web
servers; enable Remoting only on middle-tier application servers that are
isolated from the Internet.
a.. The following file extensions are mapped in Machine.config to HTTP
handlers:
b.. .aspx is used for ASP.NET pages.
c.. .rem and .soap are used for Remoting.
d.. .asmx is used for Web Services.
e.. .asax, .ascx, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .asp,
..licx, .resx, and .resources are protected resources and are mapped to
System.Web.HttpForbiddenHandler.
For .NET Framework resources, if you do not use a file extension, then map
the extension to System.Web.HttpForbiddenHandler in Machine.config, as shown
in the following example:
<add verb="*" path="*.vbproj" type="System.Web.HttpForbiddenHandler" />
In this case, the .vbproj file extension is mapped to
System.Web.HttpForbiddenHandler. If a client requests a path that ends with
..vbproj, then ASP.NET returns a message that states "This type of page is
not served."
The following guidelines apply to handling .NET Framework file extensions:
a.. Map extensions you do not use to HttpForbiddenHandler. If you do not
serve ASP.NET pages, then map .aspx to HttpForbiddenHandler. If you do not
use Web Services, then map .asmx to HttpForbiddenHandler.
b.. Disable Remoting on Internet-facing Web servers. Map remoting
extensions (.soap and .rem) on Internet-facing Web servers to
HttpForbiddenHandler.
----------------Snippet end----------------