>I have been trying to figure this one out since about an hour. I enabled basic authentication on a directory. I removed anonymous. So, basically, when accessing something in that directory, the basic authentication is shown. I enter a valid username and password from the domain and it validates. However, I did not even give the access to that directory to the user, and after a valid login, we can proceed. I checked the directory permissions. Everything in there is locked. This is only administrators, system and things like that. So, what gives any user doing a login to proceed?
I think you are confusing authentication and authorization. Windows authentication is only going to check that the user has a valid windows account in the server - access is still determined by the App Pool account. You need to determine the actual user permissions yourself but how you do this depends on your needs. See this for the options :
https://msdn.microsoft.com/en-us/library/aa291540(v=vs.71).aspx