A few years ago I've developed a Clasic ASP application, running on Windows Server 2003 enterprise / IIS 6.0.
This app was designed to let users to upload certain kind of files like .doc, .pdf. rar, and a few others.
The above files are kept in a subfolder (./UserFiles) under the root folder of the application, in the file system of the server.
In the database for each user's record there is a field called FileName. This field contains the real name of the file and when the user retrieves the record the file is served as a url. like http://app/UserFiles/File.ext.
It's obvious that if someone (anonymous user) knows the full url of a file, he could easily download It from the server without using the application's built in authentication, but it wasn't a problem until now, because the above files are not classified.

Recently my company decided that the above files are not permitted any more to be available to anonymous users.
So I decided to re-write the app and store the user files in the Database as binary objects (BLOB fields).
The problem is that until I finish the new version of the app, the current app must be alive.
And the question is:
Is there a way in IIS or by setting security settings on the folder to prevent IIS to serve these files to anonymous users? And if there is such a way, will the Application users be able to upload files?