Both the fish and the bear's paw can have the same effect: Allow FileSystemObject

Currently, most virtual hosts disable the standard ASP Component FileSystemObject, which provides ASP with powerful file system access capabilities, you can read, write, copy, delete, and rename any files on the server's hard disk (of course, this is done under the default Windows NT/2000 ). However, if this component is disabled, all ASP nodes that use this component cannot run and cannot meet customers' requirements.
How can we allow the FileSystemObject component without affecting the security of the server (that is, users on different virtual hosts cannot use this component to read or write files from other users? Here is a method I have obtained in my experiment. The following section uses Windows 2000 Server as an example.
Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "properties" in the pop-up menu, and select the "Security" tab, now you can see which accounts can access this partition (volume) and access permissions. After the default installation, "everyone" has full control permissions. Click "add" to add "Administrators", "Backup Operators", "Power Users", "users", and other groups, and grant "Full Control" or corresponding permissions, note: do not grant any permissions to the "guests" group and "IUSR _ machine name" accounts. Then, remove the "everyone" group from the list. In this way, only authorized groups and users can access the hard disk partition. When ASP is executed, access the hard disk as "IUSR _ machine name". asp cannot read or write files on the hard disk because the user account is not authorized.
The following is to set a separate user account for each VM user, and then assign each account a directory that allows its full control.
As shown in, open "Computer Management" → "local users and groups" → "users", right-click on the right bar, and in the pop-up

In the displayed "new user" dialog box, enter "User Name", "Full name", "Description", "password", and "Confirm Password" as required ", remove the check box before "Change Password Upon next login" and select "user cannot change password" and "Password Never Expires ". In this example, create an anonymous built-in account "iusr_vhost1" for the first VM user, that is, when all clients use http://xxx.xxx.xxxx/to access this Vm, they are all accessed in this identity. After entering the information, click "CREATE. You can create multiple users as needed. Click "close" after creation ":

Now the newly created user has appeared in the account list. Double-click the account in the list for further settings:

In the pop-up "iusr_vhost1" (that is, the new account you just created) attribute dialog box, click the "affiliated" tab:

The created account belongs to the "users" group by default. Select this group and click "delete ":
[Img: 67911d44a6]/uploadfiles/newsphoto/safea005.gif>
As shown in, click "add ":

 

In the pop-up "select group" dialog box, find "guests" and click "add". The group will appear in the text box below and click "OK ":

As shown in, click "OK" to close this dialog box:

Open "Internet Information Service" and start setting the virtual host. In this example, the "First Virtual Host" setting is used as an example. Right-click the Host Name, in the pop-up menu, select "properties ":

The "first VM properties" dialog box is displayed. The "F:/vhost1" folder is used by the VM user:

Switch to resource manager regardless of the "First VM properties" dialog box, find the "F:/vhost1" folder, right-click, select the "properties" → "security" tab. The default security setting for this folder is "everyone", which is fully controlled (the content displayed varies with the situation ), first, remove the check mark before "allow spreading the inherited permissions from the parent to this object:

The "security" warning as shown in is displayed. Click "delete ":

In this case, all groups and users in the Security tab are cleared (if not, use "delete" to clear it), and click "add.

To add the "Administrator" and the new account "iusr_vhost1" shown in, you will be given full control permissions. You can also add other groups or users as needed, but do not add anonymous access accounts such as "guests" and "IUSR _ machine name!

Switch to the "first virtual host properties" dialog box that opens the "Directory Security" tab and click "edit" under anonymous access and verification control ":

Click "edit" in the pop-up "Verification Method" box, as shown in ":

The "Anonymous User Account" is displayed. The default value is "IUSR _ machine name". Click "Browse ":

In the "Select User" dialog box, find the newly created account "iusr_vhost1" and double-click:

In this case, the anonymous user name has been changed. In the Password box, enter the password set for this account when you created it:

Confirm the password again:

OK. Click OK to close these dialog boxes.
After this setting, the "First Virtual Host" user can only access the content in his/her directory F:/vhost1 by using the FileSystemObject component of ASP. when trying to access other content, an error message is displayed, such as "no permission", "Hard Disk not ready", and "500 server internal error.
In addition, if the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, this setting will make it unreadable. If you want to allow it to read the content related to the entire partition, right-click the partition (volume) of the hard disk and select "attribute" → "security ", add the user's account to the list and grant at least the "read" permission. The subdirectories under this volume have been set to "prohibit the propagation of inherited permissions from the parent class to this object", so the permission settings of the subdirectories below will not be affected.