>Ok, here is the result.
>
>It does go in the custom request validator. If I do a normal hit, one without the & character in the path, I can see it executes my code in there. The code is an Event Viewer logging. It does log 18 times the same entry however for one click. This is something I don't understand.
>
>However, if I add the & at the end of the path, it does not execute my custom request validator. It seems IIS takes over the priority in such case and we have no way of intercepting that.
>
>In your test, were you able to test:
>
>http://localhost/MyDirectory
>http://localhost/MyDirectory/&
>
>Are those situations both going into your custom request validator? For me, only the first one goes.

Hmm. AFAICS you're right. Even with the replacement validator in effect the default validator still fires first. All the documentation I can find indicates that the custom version should *replace* the default - and there are even a few posts around indicating that this works as a solution. But regardless of the settings for requestValidationMode and any Page validateRequest settings the default fires first. The only way I found to prevent it was to modify the requestPathInvalidCharacters string (and handle any modified check for the removed characters to the custom validation)

Bottom line : I couldn't find any way to completely disable the default request validator.
I also read that, contrary to what I thought, it is only possible to have *one* custom validator in effect per site - different ones at different levels won't work.....

NOTE: all my testing was done using the dev server. Didn't deploy anything to a full IIS site.