>I think you are confusing authentication and authorization. Windows authentication is only going to check that the user has a valid windows account in the server - access is still determined by the App Pool account. You need to determine the actual user permissions yourself but how you do this depends on your needs. See this for the options :
>
>
https://msdn.microsoft.com/en-us/library/aa291540(v=vs.71).aspxAs Rick mentioned in the other thread, that would also explain the situation.
I had been trying to avoid the web.config file adjustment. IAC, I moved all that back to the base design so to avoid using such Windows and IIS related authentication.