How to forbid usage of web.config files?

I have a Windows 2008 R2 server with IIS7.5 installed. I need to provide users with read-write access to some directory tree via WebDAV. The same users will also be able to reach the same directories by other means - FTP, SFTP, CIFS, etc.

My aim: I don't want someone to be able to upload / modify web.config files in the published folders, thus modifying behavior of IIS. If such file is created, IIS should simply treat it as any other file.

Is it possible to concentrate all settings for the site in the applicationHost.config or in any other file outside the published tree, and make IIS ignore any additional web.config files?

Thanks!

Solution 1:

Found the relevant setting - it's called allowSubDirConfig. It can be specified either in virtualDirectoryDefaults element (for all sites) or in virtualDirectory element, in the applicationHost.config file.

Example:

<configuration>
    <system.applicationHost>
       <sites>
            <site name="Default Web Site" id="1" serverAutoStart="true">
                <application path="/">
                    <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
                    <virtualDirectory path="/Temp" physicalPath="C:\TempRoot" allowSubDirConfig="false" />
                </application>
            <applicationDefaults applicationPool="DefaultAppPool" />
            <virtualDirectoryDefaults allowSubDirConfig="true" />
        </sites>
    </system.applicationHost>
</configuration>

web.config files under /Temp virtual directory won't be checked.

There are some other ways as well: http://www.sourceinaction.com/blog/web.config-dependencies-for-multiple-asp.net-web-applications