I would like someone with serious expertise in NT networking and Active Server Pages (ASP) to comment on this one.

I am moderately skilled in ASP and have developed a heavily ASP coded website on Burlee's Virtual Server package. Of course, this means my website is shared with dozens, maybe hundreds, of other websites that populate that server.

A coworker, who has much greater expertise in NT networking and ASP, claims there is a serious security risk involved with hosting on an NT platform that has FrontPage and ASP extensions. He claims that he can write ASP scripts that can map the server to find out what other directories are on that server. And more frightfully, he claims he can also modify files in those other directories using ASP scripts. Obviously, if I can hack into other website, others can hack into mine. One of the objects he uses in his VBScripting is the ShowDriveInfo object which I'm not that familiar with.

Is it true this can happen? If so, why didn't the folks at Microsoft, in their infinite wisdom, not find a way to prevent this from happening?

Yes, this is very true but there is a light at the end of the tunnel!

If the host has set the server up right, they have set up a different anonymous (IUSER_) user for each web site. Then they need to set-up the proper permissions by only allowing this anon user access to the directories of that web site it's associated with. Then in the IIS MMC, allow anon web access using the anon user that was create for that site.

Now when you try to use these components to map out the drive, directories, etc you will only have permission to access your own sites directories info, etc.

Make sense? It's very simple, but requires planning on the host's part.