We're moving a website that was previously hosted on Win2k3 & IIS 6 to a Win2k8 R2 & IIS 7.5 platform.

The website is public, but we want to restrict anonymous access to certain files and folders such that the user would be prompted for a password to access them.

If this were Apache, a simple .htaccess file would serve the purpose. However, since it's IIS 7.5 and we're serving up mainly static HTML files and a few classic ASP pages I'm in a bit of a quandry as to how to restrict access to individual files and folders for various committees such that attempts to committee_1's files and/or folders would prompt the user for a password and, if entered correctly, would serve up their files. Same thing for committee_2 and so on.

Under IIS 6, we would take away the read privileges for IIS_IUSRS and create a user called "committee_1" with a password known by the group and give that user read privileges to the files/folders.

There's got to be a better (and more secure) way.

Reminder, these are not *.aspx pages that are being served up.

Any suggestions on how to password protect key files and/or folders under IIS 7.5 are much appreciated.