I have some files in a "downloads" folder on my site. The only people who should be able to download the files are people who have purchased them. I have a "downloads.asp" page (classic asp) which asks for the visitor's receipt number. Their input is checked against my database to ensure it is legit. If it is legit, a list of their purchased products is provided on the page. Each list item is a link to the appropriate file, such as "http://www.mydomain.com/downloads/purchasedfile.msi". However, such a url could be handed to a customer's next door neighbor, who could then download the file without having purchased it.
Using the file manager provided by my webhosting company I find there are 3 types of permissions available to a folder: Authenticated, Application Pool, and Anonymous. Obviously I do not want to allow all anonymous users to access the files. I expected that using the Application Pool settings (allow read, allow execute) would enable anyone connecting to the files from my .asp page to automatically have the appropriate permissions (after they provided a legit receipt number), but that is not correct.
Furthermore, I don't even know how Application Pool permissions are set up. There does not seem to be an obvious place where I set up a generic account name or password, so I don't even have such things to provide from my .asp script. All my research tells me that accounts for an Application Pool are set up through IIS from the server itself. The server is my webhosting company's, not mine. How do I set up an account and it's password, and how do I provide those values from my .asp script?