Locking Configuration Settings in ASP.NET
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
By default, configuration files located in subdirectories override and extend all configuration settings defined in parent configuration files. In application hosting scenarios, administrators often want to lock or make some settings on a site unchangeable to prevent modification. For example, an administrator might want to lock the sandbox security settings for hosted applications to help prevent Web users from attacking the system.
Administrators can lock configuration settings by adding an allowOverride="false" attribute to a <location> directive. This tells the configuration system to throw an error if a lower-level configuration file attempts to override any configuration section defined within this locked <location> directive.
The following configuration file example (which could be stored at either the main system level or at the site level) locks the trust level of two different ASP.NET applications (application1 and application2).
<configuration>
<location path="application1" allowOverride="false">
<system.web>
<trust level="High"/>
</system.web>
</location>
<location path="application2" allowOverride="false">
<system.web>
<trust level="Medium"/>
</system.web>
</location>
</configuration>
Any attempt to override the configuration settings in the preceding example by the configuration settings in the following example would generate a configuration system error.
<configuration>
<system.web>
<trust level="Full"/>
</system.web>
</configuration>