Do whatever makes sense. I tend to put uploaded files into the virtual folder structure, then protect the folder with a location tag that disallows all users. There's no risk there as long as you set the access appropriately.
One reason this is often desirable is that the Web application often doesn't have rights to write outside of the virtual folder structure. You also can't easily map paths with Server.MapPath(), which means you have to track the upload folder using config settings.
And if you do allow uploading to a separate non-Web folder, realize that that has security potential issues as well. You're potentially opening yourself to other security issues as you now have a path that the Web server account has to have access to.
Either way there are potential security issues with either of these approaches that require locking down security settings.
+++ Rick ---
>We have an ASP.NET application that requires uploading and storing of files. A developer here wants to place the upload attachment folder within the application physical folder structure associated with the virtual directories.
>
>I do not want to place it there due to the possibility of security issues. Are there accepted practices for the placement of application file upload folders? Is this documented anywhere?
>
>Thanks,
>Bill