Introduction

Before reading this you should read and understand all the information in this article:

http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Delegation-in-IIS7/Delegating-Permission-in-Config/How-to-Use-Locking-in-IIS7-Configuration

This covers a few points which might still be a little uncertain after reading the above.

The lockItem attribute versus lockElements, etc…

Although the configuration system will allow you to put a lockItem attribute on any element in config it is meaningless unless the element is a collection item (which includes configuration sections). Similarly the lockElements, lockAttributes, lockElementsExcept, and lockAttributesExcept attributes can also be placed on any element in configuration but won’t affect anything when placed on collection items.

Locking and location paths

Any locking done on a section/element/attribute only prevents them from being changed at lower configuration levels (web.config files). This does not mean it is locked at the same configuration level for a lower location path. Using the same <windowsAuthentication> section example, putting the following text in applicationHost.config is completely valid:

<location path="." overrideMode="Allow">

  <system.webServer>       

     <security>

        <authentication>

           <windowsAuthentication enabled="false" lockAttributes="enabled" />

        </authentication>

     </security>

  </system.webServer>

</location>

<location path="Default Web Site">

  <system.webServer>       

     <security>

        <authentication>

           <windowsAuthentication enabled="true"/>

        </authentication>

     </security>

  </system.webServer>

</location>

Even though the enabled attribute has been locked you can still redefine it for Default Web Site in applicationHost.config. However if you moved the text from the second location path into Default Web Site’s web.config file you’ll receive a configuration error.

Unlocking via a location path

You can’t unlock a section/element/attribute via a location path. For example the following applicationHost.config entries will leave the enabled attribute locked for lower level config files, including Default Web Site’s web.config file:

<location path="."  overrideMode="Allow">

  <system.webServer>       

     <security>

        <authentication>

           <windowsAuthentication enabled="false" lockItem="true"/>

        </authentication>

     </security>

  </system.webServer>

</location>

<location path="Default Web Site">

  <system.webServer>       

     <security>

        <authentication>

           <windowsAuthentication lockItem="false" />

        </authentication>

     </security>

  </system.webServer>

</location>