I am building an extranet application for a group of attorneys. They want the ability to upload files for their clients to view. These files might be images, word docs, html pages, etc. The extranet will be ASP pages kept in a secure directory, with Username and Password (stored in Access2000 Db) being required for access, with the UserID being stored as the session variable. Using ASP pages I can restrict the access to the extranet based on these stored session variables. How do I protect the non ASP files from being viewed. Although unlikely, I can't have the chance of someone typing in the full file path and filename and being able to download the protected files. Also, they need for the reverse to be implemented, because their clients might need to upload files for the attorneys to see. These will need to be protected in a similar manner for the same reasons.