Hi,

I'm looking at ways to restrict access to parts of a web site.

What I'd like to do is:
1)  Entirely prevent directory access for people not in allowed roles
2)  Lock pages against people without certain permissions.

Permission locking is working.

For directory locking I thought Web.Config with an authorization section
fitted the bill ideally.

What I've found.
A)  Authentication is forced as I wish.  Great.
B)  My custom roles seem to be ignored.

I can imagine what the issues might be but before digging further I
wondered if anyone had tackled this issue, and is prepared to share
their findings.

For interest the Web.Configs I'm talking about look like:

<?xml version="1.0" encoding="utf-8" ?>
<!-- T...  -->
<configuration>
	<system.web>
		<authorization>
			<allow roles="Client" />
			<deny users="?" />
		</authorization>
	</system.web>
</configuration>

Mike Gale, Decision Engineering (NZ) Ltd.