Displaying expected errors to users in ASP.NET

Question

I have found huge amounts of information (ie, this) on how to handle unexpected errors in ASP.NET, using the Page_Error and Application_Error methods as well as the customErrors directive in Web.config.

However, my question is what is the best way to handle EXPECTED errors. For example, I have a page to display a record. Each record has a specific list of users who are allowed to see it. Since many users may have the "View Records" role that are not on said list, I have to write some code on the page to filter them.

protected void Page_Load(object sender, EventArgs e)
{
    var user = Membership.GetUser();
    if (!CanUserViewThisRecord(Request["id"], user.Username)
    {
        // Display an error to the user that says,
        // "You are not allowed to view this message", and quit.
    }
    else
    {
        // Display the page.
    }
}

What are the best practices for handling this kind of error? I can think of a few possibilities:

1. Redirect to an error page.
2. Put a label on every page called "lblErrorText". Leave it blank unless there is an error.
3. Raise an exception and let the standard error handling deal with it.

This feels like a basic question and for that I apologize, but just about everything I've found has been in reference to unexpected exceptions. It's not that any of the above possibilities are hard to implement, but I'd like to use a standard, recommended method if possible.

NOTE: Thanks everyone for the answers. I want to clarify that users would NOT have the ability to click links to records they're allowed allowed to view. This question is more in the interest of being defensive. For example, since the record ID is in the URL someone could potentially enter the ID of a forbidden record in the address bar. Or User A who is allowed might e-mail a link to User B who is not. It seems I may not be using the words "exception" and "error" in the correct way, but hopefully the scenario makes sense.

Answer 1

In the interest of failing gracefully, I'd go with the option to display a message on the page.

Even better is error prevention; if you know ahead of time that the user won't be able to do anything on the page, don't provide a link to it. Generally, users should only see the things that they are allowed to do.

Answer 2

As others have mentioned, I would prefer to prevent this before it gets sent, either by disabling the functionality for these users, or catching it with javascript before the page is sent.

you would still need to check on the server that the user is allowed to make use of a control, and in such cases the suggested label would be preferable as a solution to the other 3 given.

A further solution however would be to provide a hidden value to the page which is checked by javascript within the page, generating either an alert or a more easily spotted error dialogue than a label somewhere which might be missed leading to confusion as to why nothing happened.

Edit based on questioner's comments: if modifying a number in a URL is all that is required to point to records the user is unauthorized to use, would POST perhaps be a better method to use than GET? that way the way this error is handled is less important, as no standard user would encounter it.