Disable inheriting the "Allow all users" rule from IIS 7

Question

I created a new site in IIS 7. This site is inheriting a rule to allow all users. I want to remove this rule but it won't let me. Is there a way to set the site to not inherit any rules?

Answer 1

Change your web.config f.e. in the following way:

<system.web>
   <authorization>
      <allow roles="Administrator"/>
      <deny users="?"/>
   </authorization>
</system.web>

Anonymous users are identified with the questionmark.

http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

You can do the same in IIS, what actually changes your web.config in the above way.

Edit: If this does not work try this at the top of the web.config:

<configuration>
    <system.webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Deny" users="?" />
                <add accessType="Allow" roles="Administrators" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

http://www.iis.net/ConfigReference/system.webServer/security/authorization

Edit2: My last attempt ...

Change the permission on your application directory to not include inheritable permissions from it's parent.

Answer 2

The solution for this is to use URL Authorization. See here to install it. Then in IIS Authorization Rules you can remove the rule that allows all users to access the site.

Based on this previous question IIS7 Authorization Rules / Config - Prompting Perpetually