Anonymous access policy in sharepoint web application is created for public facing sites, which can be accessed by users having no permission in the site. Anonymous access permission setting is disabled by default. No prompt for user credentials while accessing these anonymous contents is required.
Actually “IUSR_computername” account is created by IIS for authenticating anonymous users to access the public facing content in sites. We can create anonymous access policy at the web application level so as to restrict/manage permission for anonymous content and their action on it.
- Since we are going to create a public facing sharepoint site, its always recommended and best practice to extend web application that is going to face external traffic.
- Navigate to SharePoint Central Administration. Click on Application management and select Manage Web Applications.
- Select the web application “http://win-q2repghf9du:27315/” and click on “Extend” from ribbon under “Contribute” section.
- “Extend Web Application to Another IIS Web Site” dialog box will open, Select “Allow Anonymous” to “Yes”. Click “OK”.
- Now Select the Web Application (http://win-q2repghf9du:27315/) and click on “Authentication Providers” from ribbon under Manage Web Applications, Select the zone “Intranet” for changing the authentication.
- Click on “Intranet” as we have selected this while extending the web application, you will notice “Enable Anonymous Access” is selected.
- Now select the extended Web Application (http://win-q2repghf9du:27315/) from Web Application Management page and click on “Anonymous Policy”.
- Select the zone as “Intranet” as anonymous access is enabled for this zone. you can enable for other zones following the previous step. Next select “Anonymous User Policy” that you want to apply let’s say “None”.
There are 3 anonymous user policy level available as below, you can select as per requirement.
- None: Default permissions to anonymous users will be applied as NT AUTHORITY\Authenticated Users and All Authenticated Users have.
- Deny Write: Read access to all content for site collections under that web application but no write access.
- Deny All: No permission to the web application.
- Let me remind again we extended web application “http://win-q2repghf9du:27315/” and the extended URL is “http://win-q2repghf9du:16507/“. Open this extended URL “http://win-q2repghf9du:16507/“, navigate to “Site Settings->Site Permissions” and click on “Anonymous Access” from ribbon.
- Select types of anonymous access policy that anonymous users can access like “Entire Web Site” or “Lists and Libraries” or “Nothing”. Select “Entire Web Site” so as to give access to all contents in that site. uncheck “Require Use Remote Interfaces Permission”, click “OK”.
- We can further restrict permissions at the document library level. Navigate to “Document Library”. Click on Library Settings and select “Permissions for this document library” and click on “Stop Inheriting Permissions”.
- You will get option in ribbon “Anonymous Access” Click on that “Anonymous Access”. Select the permission you want to assign and click “OK”.
- Next you can check the Site Collection feature “Limited-access user permission lockdown mode”. It should not be active so as to get access at the Application Page Level.