Restricting Anonymous Access to Specific Pages in a SharePoint Site

A question came up several months ago in one of the Developer Panel presentations at the Best Practices Conference about whether access to individual pages could be restricted on a SharePoint anonymous access site. One my friends who was on the panel replied that he didn’t think it was possible. Since I had previously researched that question for a client I pointed out that it was indeed possible, but that it was not an intuitive process. My friend then jokingly asked whether I had Blogged on how to do it and when I responded "No" he pointed out that I shouldn’t be discussing things in public that I hadn’t Blogged on. It was a joke, but he was right. I left the conference fully intending to blog about the process the next week, but never got around to it.  Its now the end of the year and things are slowing down a bit so I plan to fix that issue by blogging on several topics that have fallen by the wayside in the last year. This is just the first.

In a normal anonymous access ASP.NET web site access to specific pages can be restricted by modifying the NTFS security permissions on the specific file to exclude the IUSR_computername user from having read access to the file. But this model raises two issues when trying to do the same thing in a SharePoint anonymous access environment. First, SharePoint doesn’t make use of the IUSR_computername account specified in IIS for anonymous access, so changing the SharePoint permissions associated with this account will have no effect. Second, although security permissions can be configured at the Web site, List/Library, or item level in SharePoint anonymous access can only be configured at the first two of those levels. Adding the IUSR_computername account as a SharePoint user and restricting item level permissions for that user has no effect on the permissions granted to an anonymous user.  So on the surface there appears to be no way to configure anonymous access rights on a specific page or file to require that viewers of that page be authenticated.

But if you dig a little deeper into how anonymous access really works in SharePoint you discover that there is a way to require anonymous access for specific pages and files. First, you need to understand that anonymous access users in SharePoint are actually provided the same permissions that a user with the Limited Access permission level is given.  When you configure anonymous access at the Web site, List or Library level in SharePoint you are telling SharePoint to allow all non-authenticated users access to objects at that level as though they had the Limited Access permission level.  By default this permission level will be inherited by all objects below it in the hierarchy.  It is this Limited Access permission level that gives anonymous users access to list items and documents.  But that only works if security inheritance isn’t broken.  If you edit the specific permissions on a list item or document, that item will only have the permissions you assign to it.  Since you can’t manually assign limited access and anonymous access is not configurable at item or document level this security setting will prevent anonymous users from accessing the list item or document.  When an anonymous user tries to access a document or list item that has specific security settings they will be prompted to log in.