Hi all,
I have an ASP.NET app that connects to SQL server to
store and retrieve data, and users may upload and download
files from the server using System.IO namespace's functions.

In my machine.config file i have writed "SYSTEM" as user for
ASP.NET (into the process model section). For security reasons
the directories where users upload and download files are protected
whit NTFS permssions that allows access only for Administrators.

I planned to use a function to impersonate an administrator user when
I upload and download files, buy I encountered that it is not neccesary
and I don´t know why.
If I have set that only Administrators can access to this directories in
NTFS permissions, and i have checked that the SYSTEM user of my
server is not a member of Administrators group. Is this a BUG into
NET security??.
I have checked that the user who is running ASP.NET process
is NT_AUTHORITY/SYSTEM
(using system.security.principal.windowsidentity.getcurre nt().name
function).

If someone knows something about this please tell me.

Thanks a lot.

--
Roberto López
Dpto. Soporte Software
Eurosistemas Informáticos y Comunicaciones, S.L.