Previous Section Table of Contents Next Section

Prohibited Behaviors

To protect your computers and your network, the Anonymous IIS user account is not a member of the local Users group; it's a member of the Guests user group. By default, a large number of useful scripting features and operating system functionality aren't available to members of the Guests group:

  • WMI.

  • Most ADSI functions; only general LDAP queries are allowed for most directory services. Active Directory doesn't usually allow anonymous LDAP queries by default.

  • Most operations that use the FileSystemObject (FSO).

  • Most operations using Windows Script Host (WSH) objects, including the Network and Shell objects.

  • Almost all network operations, including using any components that require network access.

The Anonymous user account is a local account on the Web server, and as such has no privileges or capabilities across the network or within a domain. Essentially, you can use intrinsic and custom VBScript functions and features, the intrinsic ASP objects (including Request and Response), and that's about it.

NOTE

IIS itself doesn't impose many restrictions on functionality; it's the user context being used to execute ASP pages that can be restricted. The Anonymous account can't do much, whereas an administrator account can do anything. Always keep that simple rule in mind as you write administrative Web pages.


    Previous Section Table of Contents Next Section