(Sorry I realized I unintentionally posted this to the ASP newsgroup)
Ok, I have figured this out - it may not be the bast way, so feel free
to comment. I downloaded the IIS Metabase Explorer (included in the
IIS6.0 resource kit from microsoft.com -
http://www.microsoft.com/downloads/d...DisplayLang=en)
Using metabase explorer, I navigated to (servername) -> LM -> W3SVC and
found the property AnonymousUserPa ss. By default, it doesn't display
secured data, so you have to select View -> Secure Data. Because I
didn't want to reconfigure all of my sites, I didn't want to change
this password, so I copied it and pasted it into IIS where you set the
anonymous account and password. Voila, everything was happy.
This seems silly to me for a couple of reasons. First, every document
I found said you have two options to fix this - enable
sub-authentication and run the directory as LocalSystem (effectively
disabling much of the security enhancements of IIS6.0), or edit the
metabase and change the password to a value know by you. The former
option is a complicated and unnecessary solution to a simple problem.
The latter option would require you to reset the password in IIS on
every site (and every folder in every site using a different
authentication method or account than the main site). Why didn't I
ever find a document that described what I did, which seems to me to be
the easiest way to just get back to the default?!
Another concern is that the password is stored in the metabase in plain
text. (Oh, but that's ok, because no hacker could ever figure out
using metabase explorer and figure out the option of view -> secure
data.?!?!?) Now I know that the IUSR account should have virtually no
privileges other than to read websites, but still, the concept of
storing an account's password in plain text is always disconcerting.
Another concern is the ability to take down every single website on
your server using anonymous access by editing your metabase and
changing the AnonymousUserPa ss property. Sounds like a hacker's dream
come true to me (granted, if they had access to your metabase, there's
probably lots worse things they could do...)
Please correct me in my assumptions if I am incorrect in anything I
have said - I am moving from IIS5 to IIS6, so I'm still learning the
ins and outs of IIS6.