Our application has a security module that allows or denies access to Word and Excel documents based on the user's access level. However, a user who does not navigate the site through the application, but knows the URL for a document is able to access it. How can we prevent this? Can the application run as a user other than the IUSR anonymous user? If so, would it work to set the permissions on the documents so the anonymous user doesn't have access and the user the application runs as does? Any other ideas? There must be a standard way of doing this, but I can't find any documentation on it.