Ok, thanks. Those were pretty much my original thoughts on the issue, but I was essentially outvoted by the majority. :-) We will give this consideration as we set up the environment.

Bill

>>Ok, thanks Paul. This is somewhat in conflict with feedback I have gotten from others indicating the security risks could be minimized. However we will take all this info and fold it into our final dispensation.
>>
>
>They're wrong ;-)
>
>Virtual folders are a way of creating a folder name in IIS that points to a completely different folder in the file system. The whole point of it is to expose some resource to the outside world - if you didn't want to expose it, why bother creating a virtual folder for it? So, unless you explicitly set permissions on that virtual through Windows permissions (which requires Windows auth to be on and passed from the browser), other users will have access to the items in that folder. You could also jump through other hoops and exclude certain file types from being served. but again, if you're doing that why expose it at all?
>
>It's much simpler to store the files somewhere NOT directly accessible through IIS and have a gateway call to upload/download from. That is, a handler that can download the file for the user (which you can then explicitly check if they have permission before sending the file to them), or an action in a controller that does the same thing.