Microsoft FrontPage 2000 Server Extensions Resource Kit

Security on Windows NT

 ^{3 of 9}     How IIS Authenticates HTTP Requests

When IIS receives an HTTP request from a Web browser or from the FrontPage client, it does the following:

1. The request is first attempted as the anonymous account, IUSR_machinename. If that account does not have sufficient access to complete the request, or if IIS does not have anonymous browsing enabled, then IIS returns error 401 ("Access Denied").
2. IIS then performs user authentication to allow the remote user to identify himself or herself using Basic Authentication or Windows NT Challenge/Response. If the Web browser or FrontPage client is using Windows NT Challenge/Response, the user may not see a prompt, because the FrontPage client or the Web browser simply supplies the user name and password of the logged-in user from the client computer.
3. IIS allows access to a file in the Web server only if the NTFS ACL for the file grants the correct permissions to the account being impersonated by the Web server.