In Publishing Sites for anonymous audiences you may have comes across the interesting artifact of Forms pages being visible to anonymous users. An example of this might be a site which allows anonymous access to the Entire Site, anonymous users will be able to navigate (and may get redirected to) URLs like http://domain/Pages/Forms/AllItems.aspx, or http://domain/Documents/Forms/AllItems.aspx. AllItems.aspx could really be any view on the list.
There's actually an out of the box feature that ships with MOSS. It's called the "ViewFormPagesLockdown" feature and it's already installed, it just needs to be activated.
To activate the feature you need to use the STSADM utility like below:
stsadm.exe –o activatefeature –url [Site Collection URL] -filename ViewFormPagesLockdown\feature.xml
To deactivate run:
stsadm.exe –o deactivatefeature –url [Site Collection URL] -filename ViewFormPagesLockdown\feature.xml
What Does ViewFormPagesLockdown Actually Do?
There's no real easy way to say hide AllItems.aspx or similar views from users if you're running anonymous access on your site. These users run under the Limited Access privilege set, a default set of permissions that you can't change through the UI, which is why we have this Lockdown feature to assist you.
When you activate this feature you change the permissions of the Limited Access privilege group removing the following permissions:
View Application Pages (List permission), and
Use Remote Interfaces (Site permission). Here's a table of what that privilege set looks like before and after running the lock down feature. It's
from the Microsoft article.
Permission | Limited access — default | Limited access — lockdown mode |
List permissions: View Application Pages | ● | |
Site permissions: Browse User Information | ● | ● |
Site permissions: Use Remote Interfaces | ● | |
Site permissions: Use Client Integration Features | ● | ● |
Site permissions: Open | ● | ● |
If you have any questions let me know.
Thanks
