[This is preliminary documentation and subject to change]

Granting and Denying Access to Computers

You can configure your Web server to grant or deny specific computers, groups of computers, or domains access to Web sites, directories, or files. For example, if your intranet server is connected to the Internet, you can prevent Internet users from accessing your Web server by granting access only to members of your intranet, and explicitly denying access to outside users.

• When you set security properties for a specific Web site, you automatically set the same security properties for directories and files belonging to that site, unless the security properties of the individual directories and files have been previously set.
• Your Web server will prompt you for permission to reset the properties of individual directories and files when you attempt to set security properties for your Web site. If you choose to reset these properties, your previous security settings will be replaced by the new settings. The same condition applies when you set security properties for a directory containing subdirectories or files with previously set security properties. For more information about setting properties, see the Properties and Inheritance of Properties on Sites section in About Web and FTP Sites.

To grant access to computers, groups of computers, or domains

1. In the IIS snap-in, select a Web site, directory, or file, and open its property sheets.
2. Select the appropriate Directory Security or File Security property sheet. Under IP Address and Domain Name Restrictions, click Edit.
3. In the IP Address and Domain Name Restrictions dialog box, select the Denied Access option. When you select this option, you deny access to all computers and domains, except those that you specifically grant access to.
4. Click Add.
5. In the Grant Access On dialog box, select Single Computer, Group of Computers, or Domain Name options. For more information about these options, click Help.
6. Click the DNS Lookup button to search for computers or domains by name, rather than by IP address. Type in a name, then click OK to close both dialog boxes.

To deny access to computers, groups of computers, or domains

1. In the IIS snap-in, select a Web site, directory, or file, and open its property sheets.
2. Select the appropriate Directory Security or File Security property sheet. Under IP Address and Domain Name Restrictions, click Edit.
3. In the IP Address and Domain Name Restrictions dialog box, select the Granted Access option. When you select this option, you grant access to all computers and domains, except those that you specifically deny access to.
4. Click Add.
5. In the Deny Access On dialog box, select Single Computer, Group of Computers, or Domain Name options. For more information about these options, click the Help button.
6. Click the DNS Lookup button to search for computers or domains by name, rather than by IP address. IIS will search on the current domain for the computer, and if found, will enter its IP address in the IP address text box. Click OK to close both dialog boxes.

Note    The following information is important to remember when using this feature.

• Using DNS look-up will cause a performance decrease on your server while it is looking up DNS addresses.
• A user accessing your Web server through a proxy server will appear to have the IP address of the proxy server.
• Some user server access problems can be corrected by entering the "*.domainname.com" syntax rather than the "domainname.com" syntax as the domain name in the Grant Access On dialog box.

Using the Network ID and Subnet Mask

A group of computers can be either denied or granted access based upon their network ID and a subnet mask. The network ID is the IP address of a host computer, usually a router for the subnet, or subnetwork. The subnet mask determines which part of the IP address is a subnet ID, and which part is a host ID. All computers in a subnet have the same subnet ID but their own host ID. By specifying a network ID and a subnet mask, you can select a group of computers.

For example, if the host computer has an IP address of 172.16.16.1 and a subnet mask of 255.255.0.0, all of the computers in that subnet would have IP addresses that began with 172.16. To select all of the computers in the subnet, enter 172.16.16.1 in the Network ID text box and 255.255.0.0 in the Subnet Mask text box. For more information, see the Windows 2000 Server Resource Kit or a reference on TCP/IP protocols.

© 1997-2001 Microsoft Corporation. All rights reserved.