Suppose that your web site consists of several pages that must be accessible to all users—even anonymous users. It also contains several pages that require that the user use a specific account or be a member of a specific group. To allow for both types of users on your site, select the Anonymous option and either the Basic Clear Text or Windows NT Challenge Response using the Internet Information Server Management Console. Then set the file permissions on the restricted files so that anonymous users are forbidden access. Alternatively, you could check the LOGON_USER element of the Request object's ServerVariables collection and, if it's blank, set the Status property of the Response object to 401 Unauthorized. This will force the user to log on to the site using a valid username and password.

Note that Basic Clear Text authentication is by no means secure. However, Windows NT Challenge Response, though more secure, is supported only by Microsoft's Internet Explorer. Also, it may not work when your users are connecting to your site (and providing security information) through a proxy server. In my experience, the typical result in this latter case is that you receive two empty strings for the username and password.

Even if you exclusively use anonymous access to your site, the Permission Checker component still has a useful purpose. In attempting to determine the security on a given file, the Permission Checker object must determine if the file exists. Although ...