I have seen a few older posts that have presented this same issue, but there was no resolution in the thread. I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.
CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages. Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents. Tested with an html page and html page is blocked properly. It is my understanding that IIS passes the control to cf, cf diplays the cfm page.
Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings. I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server. I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.
I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...
Thanks!
Tanya