问题
I know that by defualt IIS won't server App_Data or bin folders content to the public.
How to set one more folder to don't server to public?
回答1:
The proper way to do that is using this:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="My_Directory" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
This allows you to still access files located there from the IUSR account, but prevents actual requests for files there from being filled directly.
Note that this will block files in that directory, and any subdirectories, no matter where that directory occurs - even if it, itself, is a sub-directory of something else.
回答2:
As the link-only answer points out, hiddenSegments is the right tool for the job. Go to IIS then the site and in Features find Request Filtering (must be installed at Server Manager) now add directory name that you want to prevent access to, or any segment of the URL really. This approach does require that a unique url or directory name be used in the site, otherwise any other occurrence of the segment at any level in the url, will cause that request to be blocked:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/hiddensegments
回答3:
Remove IIS_IUSR permissions from that folder.
I think its generically under the "Internet Guest Account"
来源:https://stackoverflow.com/questions/4038534/how-to-make-iis7-stop-serving-a-folder