AbleCommerce Shopping Cart Software

Does any one have a way of restricting access to the fckeditor directory to just logged in admin users?
When using a web.config file, it will not work on the .html.

We want to make sure that someone who is not logged in can not navigate directly to the fckeditor. html page and upload a malicious file into the assets dierctory.

To configure security on standard .html files in an IIS web server, you must set the Windows permissions on the folders themselves. Depending on the version of Windows Server you are using, this is probably the NETWORK SERVICE user account. Or the user account assigned as the identity for your application pool. No other users should be configured, except maybe your local Administrators group.

Regular .html files are not processed through the ASP.Net engine in the IIS server. That's why the web.config changes won't impact html file rendering.

Whatever you do, do not set EVERYONE or IIS_IUsers to have permissions to that folder. That opens the door you do not want open