IIS 6 incorporates a new authorization framework designed to extend the object-based authorization system in previous versions. The object-based system restricted access based on the access control list for file or directory, which was based on the settings applied to the underlying storage mechanism (typically an NTFS file system).

However, it's impossible to use this with a dynamic-based Web application because the application could provide a number of different facilities through the same file. These applications are task based, and restricting access on this basis required that the developer build his own system that could control access based on his authentication credentials and a built-in authorization role.

The new authorization framework allows developers to add and extend the authorization system to provide mechanisms that can work with the existing authentication system from within their application to authorize different areas of their system based on roles, tasks, and other criteria.

The main solution at the time of release is a URL-based authorization system that can apply authorization policy within a given application and therefore against specific URLs rather than objects. The authorization policies can be stored independently of the application and then shared among a number of applications.

The system relies on the .NET Framework and can also be used and applied within ASP.NET applications directly. Configuring the system is beyond the scope of this book, so check the Windows documentation for more information.