>>I think you are confusing authentication and authorization. Windows authentication is only going to check that the user has a valid windows account in the server - access is still determined by the App Pool account. You need to determine the actual user permissions yourself but how you do this depends on your needs. See this for the options :
>>
>>https://msdn.microsoft.com/en-us/library/aa291540(v=vs.71).aspx
>
>As Rick mentioned in the other thread, that would also explain the situation.
>
>I had been trying to avoid the web.config file adjustment. IAC, I moved all that back to the base design so to avoid using such Windows and IIS related authentication.

Like I said the only way to control access to physical resources/folder/files in IIS (short of creating a custom module) is to use Windows Authentication. All other authentication mechanisms only support challenge operations and validation via code.

Windows Auth can be useful administrative task and blocking off Admin folders for access, so you can store things like logs and other telemetry there. But for application level authentication I would never recommend using Windows related accounts - it's such a hassle to maintain. Using a programming based model is almost always easier in the long run and much more flexible to do what you want.

+++ Rick ---