Click here to Skip to main content
15,351,089 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi all,
I have been struggling to restrict static files to download from browsers. But not able to restrict. I know that the following code should work but not working.
This is the root web.config file code.
<location path="Templates">
      <deny users="*"/>

I have some documents and excel files available at Templates folder in root folder. I want to restrict the files for all users.

Could any one please help on this?

What I have tried:

I have used the following code in both root web.config file and Templates folder web.config file.

<location path="Templates">
      <deny users="*"/>
Updated 15-Mar-22 8:26am

The problem is that ASP.NET runtime do not involved (by default) when serving static content, like files from your folder...
If the runtime not involved, than no-one will check what written in the web.config file...
You have several options:
1. Map relevant file types to the ASP.NET engine
2. Write custom handler to server (r deny in your case) those files
3. Use the integrated pipeline in IIS 7 to make all requests invoke ASP.NET runtime...

Understanding IIS 7.0 URL Authorization : The Official Microsoft IIS Site[^]
Kumarbs 23-Feb-16 0:03am
Thank you for your solution. The following code fixed my problem.
<remove name="UrlAuthorization">
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule">

I have gone through Microsoft support site "" provided the solution like below

<add verb="*" path="*.doc" type="System.Web.HttpForbiddenHandler">

But this doesn't solve my problem. Could you have your thoughts on this?
Kornfeld Eliyahu Peter 23-Feb-16 2:43am
That solution didn't solved your problem, because a direct link to the file (doc) does not use the web.config at all unless you use the URL authorization, as you did...
Kumarbs 23-Feb-16 3:56am
Thank you very much for your inputs.
Again, In what scenario ForbiddenHandlers will be helpful.
You can restrict the folder with hiddenSegments introduced in IIS 7.0. You need to put the <security> under <system.webserver> in web.config.
          <add segment="folderName" />

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900