Problem with ASP.NET Windows Authentication/Impersonation ?

Hi All,

I've been trying to solve an access problem for a couple of days, with no success.

What I'm trying to do is secure a particular folder under the web root directory, using Windows authentication and impersonation. My current setup is as follows :

Windows Server 2003
IIS 6.0
ASP.NET 1.1
IE 6.0

I have set NTFS security on the web root and folder to be secured, and this seems to be set up correctly, as only authorized users can access the secured folder. Additionally, I have turned off anonymous access in IIS, leaving only the Windows Authentication box checked.

In the web.config file under the web root, I have the following :

<identity impersonate="true"/>

The authentication mode is set to true in the machine.config file, so I thought I had everything in place to simply secure the folder using NTFS security.....

What actually happens is that all authenticated users can browse to .aspx pages in the secure folder, even though they can't get at the folder using windows explorer (making me think that the NTFS security is set correctly)...

To ensure that the users were being impersonated correctly, I made the .aspx pages display the currently impersonated user, which proves (I think) that the impersonation was working.

So now I'm stuck - the impersonation seems to be working, but the pages in the secured folder are still displayed whereas, according to NTFS security, they shouldn't be....The only users with access to the folder under NTFS security are "NETWORK SERVICE" and "SYSTEM". It seems as if, because the user has been authenticated at root level, they are authorized to all folders below the root (for .aspx pages). To further confuse me, if I put a classic asp (.asp) page in the secure folder, the security works and the users can't get at it - which is what I need for the .aspx pages!

Can anyone please help ?

Thanks.