Accessing Files in IIS 6.0

What are the operations in order performed by IIS 6.0 if you launch IE to send a request via the URL http://myServer/myApp/test.xyz?

Here is what I found by performing some testing. I might be wrong at some points. So be cautious.

• IIS performs authentication/authorization. If it fails at this step, a HTTP Error 401.1 is returned.
• IIS does MINE maps.
• IIS 6.0 will not deliver content for which there is no MIMEMap entry at the Computer level and in the registry MIME mapping configuration. In this case, a HTTP Error 404 is returned and a HTTP Error 404.3 is logged.
• If there is no MIMEMap entry at myApp (site) level and there is a MIMEMap entry at the Computer level or in the registry MIME mapping configuration, then the request will be processed by the IIS static file handler.
• If there is a MIMEMap entry at myApp (site) level, then the ISAPI extension in the corresponding IIS script mapping will be responsible for processing the request. Assume that this is the case by now.
• IIS starts to check "Execution Permission" on the Virtual Directory tab of the Properties dialog box. If "Execution Permission" is not allowed to process the request, a HTTP Error 403.1 is returned.
• Next IIS starts to check "Web Service Extensions". If there is a corresponding Web Service Extension and the Web Service Extension is prohibited, then a HTTP Error 404 is returned and a HTTP Error 404.2 is logged.
• Now IIS starts to load the ISAPI extension in the corresponding IIS script mapping to process the request.

Recently I read the following two articles regarding to IIS security:

• Are You Protected? Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0 by Michael Volodarsky
• Essential Security Administration For IIS 6.0 by Brett Hill

Neither articles are made clear on MIMEMaps. Michael's article is excellent except the tiny thing on MIMEMaps. Every developer working on ASP.NET and IIS should read this article.