"David Zhu" <David***@discussions.microsoft.com> wrote in message
news:487A0A8C-AA7F-4C05-915C-137F378DA605@microsoft.com...
>
> Hi,
>
>   I'm quite confused by the behavior of IIS6's "Integrated windows
> authentication"!
>
> Because when I specify an admin account as the Identity of the application
> pool which my web application used. Then, even an anounymous user in the
> intranet
> would be able to access my application, and in the meanwhile I didn't
> enable
> the anounymous access in IIS6.
>
> But this case, would never happenned in IIS5, because as we know that
> other
> users who did not have the priviledge to access the server, would not be
> able
> to
> access my web application when "Integrated windows authentication" be
> enabled only.
>
> Please help me, thanks.
>
>

"Roger Abell [MVP]" wrote:

> You need to provide more precise details.
> It is not just whether Windows integrated authentication is or is
> not enabled for use, but also what permissions exist on the content
> that determines what access happens.  The account used for the
> application pool does not really alter the authentication behavior
> when the browser hits on the site.
>
> "David Zhu" <David***@discussions.microsoft.com> wrote in message
> news:487A0A8C-AA7F-4C05-915C-137F378DA605@microsoft.com...
> >
> > Hi,
> >
> >   I'm quite confused by the behavior of IIS6's "Integrated windows
> > authentication"!
> >
> > Because when I specify an admin account as the Identity of the application
> > pool which my web application used. Then, even an anounymous user in the
> > intranet
> > would be able to access my application, and in the meanwhile I didn't
> > enable
> > the anounymous access in IIS6.
> >
> > But this case, would never happenned in IIS5, because as we know that
> > other
> > users who did not have the priviledge to access the server, would not be
> > able
> > to
> > access my web application when "Integrated windows authentication" be
> > enabled only.
> >
> > Please help me, thanks.
> >
> >
>
>
>

> Hi Roger,
>
> Thank. After further investigation, I found that I neglect a quite important
> thing before. The ACL of my Web Application follow allows the "Domain Users"
> to read and execute. So I think that allowst the anonymous domain user access
> my  web
> application.
>
> Thanks again.
>
>
> "Roger Abell [MVP]" wrote:
>
> > You need to provide more precise details.
> > It is not just whether Windows integrated authentication is or is
> > not enabled for use, but also what permissions exist on the content
> > that determines what access happens.  The account used for the
> > application pool does not really alter the authentication behavior
> > when the browser hits on the site.
> >
> > "David Zhu" <David***@discussions.microsoft.com> wrote in message
> > news:487A0A8C-AA7F-4C05-915C-137F378DA605@microsoft.com...
> > >
> > > Hi,
> > >
> > >   I'm quite confused by the behavior of IIS6's "Integrated windows
> > > authentication"!
> > >
> > > Because when I specify an admin account as the Identity of the application
> > > pool which my web application used. Then, even an anounymous user in the
> > > intranet
> > > would be able to access my application, and in the meanwhile I didn't
> > > enable
> > > the anounymous access in IIS6.
> > >
> > > But this case, would never happenned in IIS5, because as we know that
> > > other
> > > users who did not have the priviledge to access the server, would not be
> > > able
> > > to
> > > access my web application when "Integrated windows authentication" be
> > > enabled only.
> > >
> > > Please help me, thanks.
> > >
> > >
> >
> >
> >