IIS reports 401.3 error for static files, but appears to have correct ACL
Solution 1:
I had a similar problem with my web site on Windows Server 2008:
- Forms and anonymous authentication enabled
- Granted full access on the folder to the application pool user
- Granted full access on the folder to the iis_iusrs group
To test I used two pages:
hello.htmlhello.aspx
hello.aspx came up just fine. hello.html threw a 401.3 unauthorized. Microsoft sysinternals procmon reported "ACCESS DENIED" on hello.html by the application pool user when I tried to browse to the page.
To resolve the problem I added the user IUSR to the access control list for the web site folder. IUSR is not listed in the Windows management tool users list, but it comes up if you search for it when adding a user in the folder properties security tab.
I found it very strange (and confusing) that procmon reported the user trying to access hello.html was the application pool user, and not iusr.
Solution 2:
I discovered what was causing the problem:
It turns out that the "Encrypt contents to secure data" attribute was set for each of the files.
I accessed the properties for each file and unchecked that checkbox (right-click -> Properties -> Advanced... (next to Attributes) -> uncheck Encrypt contents to secure data), and everything is back to normal.
Solution 3:
I had a similar issue today, and what fixed it for me was your second point about giving the IUSR account read and modify permissions on the files and directories (it wasn't just the static files that I was dealing with)