IIS ... preventing file download

[AussieM8]

Hi guys

I have a little project and I need some advice to protect a file.

I have a plain text file containing user logons and passwords. I am using ASP to read/write to the file (ie. when users need to change their password).

The file is in a separate folder from the main files but I've tested it tonight and it's possible to simply type in the direct URL and the txt file will be downloaded to your browser.

If I change the file/folder permissions for IUSR, then the ASP code fails as there are no permissions to write the file. I need to allow IUSR as I need to upload files to the folder.

Is it possible to prevent a file being downloaded, but still have write permissions?

Cheers
AussieM8

PS - I know there are other more secure options, but I want to stick with IIS and ASP/Javascript programming for the time being.

[Philquad]

what about password protect the folder or file

[jimbo123]

Not an asp/IIS person,.. but shouldn't you be keeping these sorts of files outside the bounderies of what your website delivers by direct http requests ? Aim being to only manipulate the file via the code present in your active pages ?

In Apache you can configure it to specifically prevent delivering file(s), (often used for .htaccess and .htpasswd files), maybe IIS can do the same ?

Jim.....