I have a virtual directory (called "File") setup for my web application. The directory is used to house user file uploads as well as official downloads that we offer.
I want to prevent any file from the "File/UserUpload" directory from ever being served up to a user. It would be pretty difficult (i.e. it will never happen) for a user to come up with the proper filename to request a file since the files are created with a GUID, but I'd like to disallow it nonetheless.
How can I stop IIS from serving files in the virtual directory?
Add a web.config file to the directory which denies all users access to the directory.
It should look something like this:
IIS 7:
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
Here is another SO post which may be helpful: https://serverfault.com/questions/72680/iis7-how-to-block-access-with-a-web-config-file