I have a section of a site I&#039;m working on set up behind a password using ASP (VB script). The pages check for a cookie, and, if not existent, redirects the person to the log-in page, which, if they enter the right password, sets the cookie.<BR><BR>There&#039;s just one pwd/username for all (this isn&#039;t a high-security thing...it just prevents casual access).<BR><BR>The problem is that these pages also link to a lot of Word Docs and PDFs. These, of course, are not pwd protected since they&#039;re not being accessed through an ASP page.<BR><BR>What are my options to also protect those? I was originally hoping that I could do something akin to apache where I simply set an .htaccess file to only allow access to files that have been requested from that domain (usually used to prevent file leeching). <BR><BR>I think the two options that seem to work would be:<BR><BR>1) Just protect the entire folder via a pwd with IIS (pros: This would protect EVERYTHING in the folder and subfolders. cons: no nice log-in page)<BR><BR>2) Store the documents outside the root and use streaming to deliver the files to the browser (pros: secure. cons: doesn&#039;t really fit into our system for easy updating of these files.)<BR><BR>I&#039;m leaning towards option 1 right now, but thought I&#039;d throw this out here in case there are some other options I should consider.