Cool .NET Tips and Tricks #7
By Dr. Dexter Dotnetsky
Printer - Friendly Version
Dr. Dotnetsky

IIS 6.0 Gotchas

Well, Howdy! I'm back and I've accumulated some stuff during my travels with IIS 6.0. Man, this thing is faster'n a one-armed paper hanger!

IIS Compression

I checked on getting IIS compression to work on Windows Server 2003. If you follow the directions from Redmond, you'll get compression enabled, but it will still be "non-working". There are a couple more items to know that they don't provide any information about:

1. You must permit the compression ISAPI to run. IIS 6's security setup prohibits ISAPI DLLs from running by default, so you need to tell IIS 6.0 that it's OK to let the compression ISAPI DLL run. (That's not the only thing you need to enable - same with just about everything else!).

Open the IIS admin tool, dive down into your server, and right-click on "Web Service Extensions". Choose "Add a new web service extension". For the extension name, use whatever you want to identify it in the list . You'll need to add the single required file, which is \Windows\System32\inetsrv\gzip.dll. This is the ISAPI DLL responsible for gzip and deflate compression. Check the "Set extension status to allowed" and click OK. You should have a new web service extension in your list called "Whatever you named it", and it should show a status of "Allowed".

2. Next, you also need to select the compressible content:

IIS 6's compression system only compresses a limited set of content. You need to enable compression for the appropriate file extensions (specifically, .aspx / .asmx / .ascx files for your ASP.NET pages, and any static content you want compressed as well - .htm, etc.).

You're going to edit the Metabase. There is an option in the IIS6 admin (right click at the _computer_ level) which allows you to edit the metabase, and it just reloads it for you, like web.config, or ---

you can first shut down IIS. In the IIS admin tool, right click on your server name in the left panel, and choose All Tasks -> Restart IIS. On the restart dialog, choose "Stop internet services" and click OK. When IIS is shut down, you'll need to edit \Windows\System32\inetsrv\MetaBase.xml (ALWAYS make a backup first - same with Machine.config, although most of it is not used with IIS 6.0). Search for "IIsCompressionScheme". There will be two XML elements, one for deflate and one for gzip. Both elements have properties called HcFileExtensions and HcScriptFileExtensions. These contain a space-delimited list of file extension for compressible content. At a minimum, you'll need to add aspx to the HcScriptFileExtensions list. Note that if the properties are left blank, then all content, regardless of file extension, will be compressed. That's it!

IIS 6.0 Isolation Modes:

IIS 6.0 is a much different anamule than IIS 5.0, period! While there appear to be a number of surface - level similarities, the whole thing is different, from the way it runs to the way its administered. I'll leave the technical specs to others, but if you start out your journey with the kind of respect that you'd give to a totally unfamiliar creature, I suspect it may help to lessen some of the confusion.

In order to separate and protect ASP.NET applications that run simultaneously, Internet Information Services (IIS) 6.0 provides two different application isolation modes. By default, worker process isolation mode is used. However, IIS 5.0 isolation mode is also provided for backward compatibility. The following describes the two application isolation modes and how to set the mode. If you did an UPGRADE install of Windows Server 2003, you are running in IIS 5.0 mode!

Worker Process Isolation Mode
The default application isolation mode in IIS 6.0 is worker process isolation mode. In this mode, the process model built into ASP.NET is disabled, and the worker process isolation architecture of IIS 6.0 is used instead. Any configuration settings that are specified in the <processModel> element of the Machine.config file are disregarded, except for the following attributes:


To specify values for other process model attributes, you must use the appropriate application pool setting. For information about setting the appropriate application pool settings, read up on "Application Pool Settings for Worker Process Isolation Mode" in the MSDN online or your IIS documentation.

IIS 5.0 Isolation Mode
When IIS 6.0 is in IIS 5.0 isolation mode, the worker process isolation architecture of IIS 6.0 is disabled and the process model build into ASP.NET is used for all ASP.NET applications on the computer. In this mode, the process model settings are specified through the <processModel> element of the Machine.config file.

For more information on configuring the process model settings when using IIS 5.0 isolation mode, search for "ASP.NET Configuration" in help.

Setting the Application Isolation Mode
When using IIS 6.0, you can select either worker process isolation mode or IIS 5.0 isolation mode. The application isolation mode applies globally to the IIS service and affects all Web applications on the computer. You cannot apply an application isolation mode to individual applications.

Example: Selecting the application isolation mode in IIS 6.0

Open the IIS management console and expand the local computer by clicking the plus sign.
Right-click the Web Sites folder, click Properties, and then click the Service tab.
Under Isolation mode, select or clear the Run Web service in IIS 5.0 isolation mode check box to select either IIS 5.0 isolation mode or worker process isolation mode, respectively.

Service tab of the Web Sites Properties dialog box

Worker Process Isolation Modes

The identity application pool settings allow you to specify the account that the worker process uses. By default, the worker process uses the Network Service account. However, you can override this and specify a different Windows identity. The following sections describe how to specify the identity application pool settings.

Example: Specifying Identity Application Pool Settings
The recycling application pool settings are specified on the Identity tab of an application pool's properties dialog box.

To set the identity application pool settings

Open the IIS management console and expand the local computer by clicking the plus sign.
Expand the Application Pools folder by clicking the plus sign.
Right-click the appropriate application pool and then click Properties. The application pool's properties dialog box appears.
Click the Identity tab, and then set the appropriate application pool settings.

Identity tab of application pool Properties dialog box

UserName and Password
UserName and Password are the equivalent application pool setting for the username and password ASP.NET process model settings, respectively. These settings are used together to make the worker process run using the specified Windows identity. By default, the worker process uses the Network Service account. However, if the Configurable radio button is selected and the UserName and Password text boxes contain valid values, the worker process will use the specified Windows identity. In addition, you must add the Windows identity to the IIS_WPG user group!

To add the Windows identity to the IIS_WPG user group

  • On the Start menu, right-click My Computer, and then click Manage.
  • Expand the Local Users and Groups node by clicking the plus sign.
  • Click the Groups folder. A list of all groups defined on the computer is listed in the right pane.
  • Right-click IIS_WPG and then click Add to group.
  • Click the Add button and enter the account you want to use for the worker process.

The most important thing to remember is that IIS_WPG is a Group, not a user! Consequently, identities that IIS is configured to run under must be added to it.

If your application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user. In IIS6 native mode, ASP.Net uses process model and related configuration from IIS6 (vs in IIS5 Compatibility Mode, ASP.Net does use its machine.config, as it does on IIS5). The key to letting IIS6 read that file is to give the IIS_WPG group list access and the exact identity of the user
Read access.

You may be wondering where IIS_WPG comes from and why you need to set ACLs for two identities instead of one with IIS6. This is basically a security change because IIS is no longer "Local System", which has all privileges on the machine. Now, IIS itself is restricted to a much less-privileged identity inside of the IIS_WPG group, so you can view IIS_WPG as "the realm of resources accessible to IIS". You have to set ACLs for the other identity because that's for the user actually accessing the resource. IIS needs distinct access to the resource for some other non-user-specific tasks, such as change-monitoring (for file caching).

I know all the above sounds confusing, because I collected it from KB's and newsgroup posts from confused people, and I was confused when I read it. I'm less confused now, and after a couple more Martinis I'll probably be almost normal... Ain't technology grand?

Anti SPAM!

Here are some tips to help stop those annoying junk emails:

1-Set your filters. Use an Internet service provider (ISP) with advanced junk-mail filters to keep out spam while helping to ensure you don't lose important messages. Look for ISPs that offer easy-to-use, customizable settings that allow you to choose your level of protection.
2-Be careful about disclosing your e-mail address. Junk mail gets to your inbox several ways. Some spammers send e-mail to random variations of e-mail addresses. Others buy address lists from Web sites where you registered or entered a contest that required you to give your e-mail address. Spammers can obtain your address from Internet white pages listings, guest books, newsgroups, resume postings, and chat rooms, too.
3-Help protect your privacy. If you plan to register at a Web site or enter a contest, check the site's privacy policy and terms of use statement. If the Web site doesn't explain how they use your information, reconsider registering your e-mail address and sharing other personal information.
4-Don't reply. Answering spam, even to "unsubscribe," just confirms your e-mail address is valid. Spammers usually ignore your wish to unsubscribe and add your e-mail address to their list. Then they send more spam and/or sell their list, creating more junk mail. Your best bet is to simply delete the spam messages from your inbox.
5-Forward spam to the originating ISP. Check the e-mail header information to see what Internet domain the spam came from. If it came from, forward the entire e-mail, with headers, to If the spam originated from another ISP, forward it directly to the postmaster or abuse alias at that ISP.
6-Stay updated. Learn about the latest news, software, and legislation related to controlling spam online. TRUSTe is an independent organization dedicated to building consumer trust and confidence in the Internet. Or visit CAUCE, the Coalition Against Unsolicited Commercial Email.

While there isn't a way to totally stop receiving spam in your mailbox, by following these tips you can better control the e-mail messages that you do receive.

A little SQL Squeak

This little gem is one I found at our friends over on You gotta just love this! You look all over the web about how to get a random record out of a SQL Server table. There's sixteen different techniques and they all involve at least 20 lines of T-Sql! And then you find this:

Select Top 1 <Whatever your whole query is> order by newId()

That's IT! Am I talking Greek? That's the WHOLE THING! Try it and weep! Thanks, guys! Cya!

Dr. Dexter Dotnetsky is the alter-ego of the forums, where he often pitches in to help answer particularly difficult questions and make snide comments. Dr. Dotnetsky holds no certifications, and does not have a resume. Always the consummate gentleman, Dr. Dotnetsky can be reached at  Dr. Dotnetsky's motto: "If we were all meant to get along, there would be no people who wait for all the groceries to be rung up before starting to look for their damn checkbook."