SharePoint 2003 - deny access using web.config

Question

As all you know, Sharepoint 2003 has simple access rights privilages. You can only grant rights (Reader, Contributor, Administrator) but unfortunatelly you can not deny access. So, if someone is not welcome in SharePoint portal there is no simple way to restrict access for him.

I found nice articles how to secure access to certain page using web.config:

<authorization>
  <allow users="MySuperAdmin"/>
  <deny users="*"/>
</authorization>

But... It doesn't work in my two SharePoint installations (test and live). No matter what I enter in <authorization> tag, I am still able to enter SharePoint pages. Even when I deny access for all, like this:

<authorization>
  <deny users="*"/>
</authorization>

... I am still able to see all pages (with my local Administrator user or any other non-admin user).

Could you please help what is wrong in my code?

Answer 1

Rather than editing web.config files, you should be able to design these security requirements with standard SharePoint 2003 features.

The key is that if a user isn't present in any of the groups then they don't have access. So just add the users/domain groups that should have access and not the rest.

Answer 2

HAve you tried adding a location tag around the authorisation tag in your post? i.e. like so:

<location path="_layouts/images">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

P.S. Alex's answer is ultimately the correct one, even though it means throwing things around in Active Directory. We did the same at my company.