I've been tasked with picking up the slack for an ailing programmer (I'm a new and floundering coder myself) and am struggling to secure a document directory in our .NET application. It's a Web-based app using ASP.NET with VB.NET on a Windows 2000 server with IIS 5. A number of pages are comprised of href links to documents that are stored in a directory on the server, and the customer wants to prevent a user from being able to type a document's URL into the browser and load it directly; they only want to be able to access these documents through links on the pages in the Web app itself (the pages are secured with a login/authentication against a SQL 2000 database and then through session variable checks). I've searched a number of places that recommend storing the docs in the database (customer doesn't want that) or mapping the document file extensions so they are served by the .NET framework and securing them in the web.config file, but we have already experienced some issues with the aspnet worker process ballooning and I would prefer to avoid taxing it any further on the outdated servers we are using. Is there a straightforward method of locking down a directory codewise to prevent direct access without linking from an internal page? Any assistance would be greatly appreciated.