Is there a way to disable the FileSystemObject (FSO) on a per-site
basis?  De-registering the DLL is not an option, nor is running each
virtual site under it's own logon, and restricting permissions for
that username.

If this is not possible, is there a way to restrict FSO to it's
virtual directory?  I realize this should be done via NTFS
permissions, however I would like to have an added level of security
in this case.

Thank you.

I'm pretty sure NTFS permissions take care of this.  There's no way
around permissions as far as I'm aware of.  I've never heard of a way
to disable FSO on a per-site basis, but I'm not really an expert on
this.  My advice is just use permissions and not worry about it unless
you've had problems with it already.

xemion-ga

Even secure NTFS permissions levels still allow you to view, enumerate
and get the properties of several files that could be considered
confidential.  This is the case here. There's no way to restrict
*everything* via NTFS so it is unaccessible, since these files are
needed for the process' operation.

Actually, this can be done using NTFS.

If you alter the account credentials used by the site (requires manual
modification of the metabase via adsutil or some app which uses the
IIS provider) and deny rights to the dll for the user, you'll be set.