How Security Works in ASP.NET (IIS 6.0)
Helping protect Web sites against unauthorized access is a critical, complex issue for Web developers. A successful system requires careful planning, and Web site administrators and programmers must have a clear understanding of the options for securing their site.
ASP.NET works in concert with the Microsoft .NET Framework and Internet Information Services (IIS) to help provide Web application protection. To help protect an ASP.NET application, you must perform the two fundamental functions described in the following table.
IIS can also grant or deny access based on a user's host name or IP address. Any further access authorization is performed by NTFS file access permission's URL authorization.
It is helpful to understand how all the various security subsystems interact. Since ASP.NET is built on the Microsoft .NET Framework, the ASP.NET application developer also has access to all the built-in security features of the .NET Framework, such as code access security and role-based user-access security. For details about the security capabilities of ASP.NET, see ASP.NET Code Access Security.