IIS 7 by default doesn’t server some website folders and files such App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources, Web.config, etc.

Open Internet Information Services Manager and select the website that you are interesting in denying web access to certain folders within that site. You can either add a properly configured web.config file to the website root, or add a web.config file within the particular sub-directory of the root, to block access to those directories / folders from web browsers.

Or you can use Request Filtering to Add a “Deny” list for each folder you want to restrict access, such as /data/, /_cgi-bin/, /admin/, etc. This deny sequence list will be configured in the web.config file, either in the root, or in the sub-folder itself.

Directions:

1. In IIS Manager, select the website under 'Sites“
2. Click the 'Request Filtering' icon in the middle pane
3. Select the '-url' Tab in the middle pane
4. Click 'Deny Sequence' in the 'Actions' pane to the right side of the interface
5. Now, Add the path of the first sub-folder between forward slashes, such as /data/
6. Click the OK button to add that sub-folder to the Deny list in the 'url' Tab pane
7. Repeat 'Deny Sequence' to create a list
8. Switch from Features view by clicking the 'Content View' view at the bootm of the middle pane
9. Click Ok to Save the these additions to the web.config file
10. Test your web interface by trying to directly access any folder in your url deny list