ASP.NET 2.0 (and better) provide excellent built-in functionality for managing users, memberships, and roles which we've used in many of our projects for securing site administration portals, intranets, and more.  However there is one major problem.

The Problem

ASP.NET does not handle folder based security properly. By default ASP.NET's httphandler only handles certain file types (a list of the file types and descriptions can be found here).  The web.config file allows you to specify specific users and roles that can access the files within a specific director; however, because of the deficiency in the httphandler file type support, non-supported file types are not protected.  For example: we used forms authentication to deny unauthenticated users access from our /Secure directory.  Thus http://www.XeroOne.com/secure/default.aspx is protected, but http://www.XeroOne.com/secure/not-secure.html is still accessible by anyone.

On Linux and Apache servers, the .htaccess file is a good solution for protecting entire directories, and it can be used in a Windows environment, but it is not a good solution in our case as it takes the user authentcation control away from ASP.NET Membership.  What we needed was a solution that allowed us to continue to use ASP.NET Membership to manage and authenticate our users, but to also protect Non-ASP.NET files for an entire directy.

The Solution

There is no catch-all solution that will work in every scenario.  What we've developed is a GOOD system that handles the most common cases, and even a few of the more uncommon.  Our solution does require that you have access to IIS 6.0 administation in order to implement.  If you're using a shared hosting environment, then our solution simply isn't for you.

In short, all we're doing is creating additional entries in IIS' httphandler.  You'll need to determine ahead of time, what file types you will need to protect, for simplicity, this example will show you how to add proction for .html, .pdf, and .doc.

Step 1: Add the IIS entries

1. Open IIS 6.0, choose your virtual director, and open the configuration properties window (right-click, choose properties). 
   
2. Click on the "Home Directory" tab and click on "Configuration".
3. Select the ".aspx" extension in the list, and click on the "Edit" button. Copy the path found in the "Executible" textbox (path to aspnet_isapi.dll).
4. Click on the "Cancel" button to clode the "Add/Edit Application Extension Mapping" window.
5. Click on the "Add" button in the "Application Configuration" window.
   
6. Paste the coppied path to aspnet_isapi.dll in the executable text area.
7. Type the extension you are adding in the extention text area. This can be any extention you want. ie: .html, .pdf, .doc, etc...
8. Choose the "Limit to" radio button and type "GET,HEAD,POST,DEBUG" in the textbox.
9. Ensure the "Script engine" checkbox is selected, and the "Check that file exists" checkbox is deselected.
10. Click on the "Ok" button to finalize the process and close the window.
11. Repeat steps 5 - 10 for each file extetion you will be adding.

Step 2: Update the application's web.config

1. Open the web.config file for your application to edit
2. Find the section of xml for <httpHandlers>
3. Within this section add the following entry for each file extention you added to IIS:
           <add verb="GET,HEAD,POST,DEBUG" path="*.html"
                    type="System.Web.UI.PageHandlerFactory"/>
4. Note: replace "*.html" with whatever extention you are adding
5. Find the section of xml for <compilation> and ensure the definiton appears as below:
           <compilation debug="false" strict="false" explicit="true">
6. Within the <buildProviders> section, add the following entry for each file extention you added in IIS:
           <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />

When you are complete, your web.config sections should appear as follows:

<httpHandlers>

        <add verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory"/>

        <add verb="GET, HEAD, POST, DEBUG" path="*.pdf" type="System.Web.UI.PageHandlerFactory"/>

        <add verb="GET, HEAD, POST, DEBUG" path="*.doc" type="System.Web.UI.PageHandlerFactory"/>

</httpHandlers>

and

<compilation debug="false" strict="false" explicit="true">

        <buildProviders>

                <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />

                <add extension=".pdf" type="System.Web.Compilation.PageBuildProvider" />

                <add extension=".doc" type="System.Web.Compilation.PageBuildProvider" />    

        </buildProviders>

</compilation>

That's it.  You're done!

When you’re ready to publish your website and make your presence known to the world, one of the first things you’ll need to do is decide which web hosting package is best for you and your web needs. There are a lot of hosting firms out there. The more you know the better you will be able to make a decision that will keep you happy with your hosting provider. If you’re looking for some ideas to help guide you through the search, here are some important things to keep in mind that may help you.

1. Easy, Intuitive Interface

Managing a website can include a lot of complex programs and a lot of working parts. Luckily, some web hosting providers have created simple, intuitive navigation protocols. Look for hosts that offer a work environment similar to what you usually use, such as a Windows-style interface.

2. Versatile Emailing

When you manage a website, the primary means of communicating with your visitors and users on a one-to-one basis is through email. Email may seem basic, but good email systems are something you should make sure your potential web host has covered. For example, look for POP3 email and alias capabilities.

3. Backups and Virus Protection

Another important characteristic of an affordable web hosting package is the features included to protect your web presence. It is vital that your plan include some sort of auto backup feature as well as some sort of virus screening or protection.

4. FTP, Virtual FTP

You will want to be able to access and modify your files remotely. You will also want to have flexible control over how you upload your vital files. FTP services make managing crucial web assets easy.

5. MySQL and PHP

Among the most effective and powerful programming tools available to web developers is the PHP language and the MySQL protocol. Using these industry standards will help keep you compatible with a variety of web browsers and back-end applications.

6. Free Statistics Tracking

Today, most web-hosting packages should provide free or at least inexpensive web analytics. These tools can help you track who is coming to your site, when and how often.

7. SPAM Program

With the unbelievable amount of spam mail flying around the Internet today, it is imperative that any new hosting package includes a filter to protect your inbox from spam attacks. Otherwise, you could spend a lot of time sorting through unwanted messages.

8. Security Protection

Any web hosting package worth its salt should obviously be secure. Check to be sure that the provider offers SSH security shells. These can be especially useful for ecommerce solutions and subscription functions. They also makes managing secure files easy.

9. HTTPS Functions

This sort of protection should be available as a standard or inexpensive feature. It tells you and your ecommerce customers that personal information and order details remain secure during transit.

10. Webmail Access

Of course, you want your email to be accessible even when you are not at your personal computer. Having a webmail account enables you to stay in reach of important emails from any active web connection.