Understand anonymous authentication and IUSR account


Dreamweaver UltraDev is no longer supported, and the Dreamweaver UltraDev support center will no longer be actively updated. The functionality available in Dreamweaver UltraDev is available in Dreamweaver, beginning with Dreamweaver MX.

Anonymous access, the most common web site access control method, allows anyone to visit the public areas of a website while preventing unauthorized users from gaining access to a web server's critical administrative features and private information. Anonymous authentication gives users access to a website without prompting them for a user name or password. When a user attempts to connect to a public website, the web server assigns the user to the Windows user account called IUSR_computername, where computername is the name of the server on which IIS is running.

By default, the IUSR_computername account is included in the Windows user group Guests when IIS is installed on the server. This group has security restrictions, imposed by NTFS permissions, that designate the level of access and the type of content available to public internet users. Changes can be made to the account used for Anonymous authentication in the Internet Service Manager at the web server level or for individual virtual directories and files. Security privileges for the IUSR_computername account can be changed with User Manager for Windows NT, and Local Users and Groups in the Computer Management console for Windows 2000.

IIS uses the IUSR_computername account in the following way:

  1. The IUSR_computername account is added to the Guests group on the computer.
  2. When a page request is received, IIS will imitate the IUSR_computername account before executing any code or accessing any files. IIS is able to imitate the IUSR_computername account because the user name and password for this account are known by IIS.
  3. Before returning a page to the browser, IIS checks NTFS file and directory permissions to see if the IUSR_computername account is allowed access to the file.
  4. If access is allowed, authentication completes and the resources are made available to the user.
  5. If access is not allowed, IIS will attempt to use another authentication method. If none is selected, IIS returns an "HTTP 403 Access Denied" error message to the browser.

Note: The anonymous account must have the user right to log on locally. If the account does not have the Log On Locally permission, IIS will not be able to service any anonymous requests. The IIS installation specifically grants the Log On Locally permission to the IUSR_computername account. Also, if the anonymous user account does not have permission to access a specific file or resource, the web server will refuse to establish an anonymous connection for that resource.

Additional information

For more detailed information about Anonymous Authentication and the IUSR account, please refer to IIS Technical Documentation. If IIS is installed, you can view the product documentation by typing http://localhost/iisHelp/ in your browser address bar and pressing Enter.

For additional information, see Set IIS web server permissions.

For an excellent source of information on security issues with IIS, see the Microsoft Safety and Security Center.

Adobe logo

Sign in to your account