Yes, I understand that, but if you have a folder outside the virtual directory, you have to remember to set permissions and it's another place that hackers could potentially get to.

>The Virtual Folder can point to a folder elsewhere on the network. It will appear to the application to be in the Applications own folder structure, but IIS will store content whereever you specify (assuming the permissions are correct). We do this for most of our sites.