A couple of common misconception by users concerning IIS configuration and user privileges are that:

  1. If I am logged in as Administrator, everything should work and I should never see "Access Denied"
  2. If I enabled anonymous access in IIS, everything should work and I should never see "Access Denied"

Why are the above statements not true? They sure sound logical - after all, administrator should have full access to the system, right? And anonymous access is supposed to allow anyone access to the server, so it should never fail.

Administrator can be denied access

The fact of the matter is that while yes, Administrators have "full access" to the system and can change anything, Windows also treats Administrators just like any other user. This includes the ability to deny an user access to any ACL-protected resource explicitly or implicitly through lack of ACL.

So, it is perfectly possible to set a deny ACL or remove an allow ACL on a resource and prevent Administrators from initially accessing the resource. However, Administrators have a special power - the ability to CHANGE any ACL, including give themselves access to something previously denied access. Thus, while it is possible to have an Administrator see "Access Denied", it is not likely to last for long.

Regarding the identity of the user accessing the resource - when an Administrator makes a client-server connection like HTTP, the identity with which server-side code runs is completely unrelated from the identity that runs the browser making the HTTP request. It all depends on the authentication methods accepted by the web server as well as the user credentials negotiated between the web browser and web server.

In other words, the local Administrator can make a request in a web browser to run a CGI EXE on the web server, but the web server can use any identity to launch the CGI EXE server-side. The choice of identity can be influenced by authentication.

Anonymous does not allow access

As for enabling anonymous authentication in IIS - this merely tells IIS to automatically log in with a pre-configured user identity to execute the request, regardless of authentication attempted. There is no special Windows account that magically passes access checks and has access to everything.

In fact, the user identity used for anonymous access can be the target of allow/deny ACLs, just like any other Windows user, so it is still possible to see "Access Denied" when you have anonymous authentication enabled. You have to make sure that you have the correct user password AND the configured anonymous user identity actually has ACLs to the requested resource in order to allow anonymous authentication a chance to work. Otherwise, you still get 401 access denied and browsers will keep popping up the login dialog box no matter what you give (however, this is only one possible way to get into that state - there are others).

I hope this helps to demystify two common IIS misconceptions.