IIS 7.0 IP Address Security

i was totally lost with the new approach of security in Windows Server 2008. in older version of OS there used to be ip address restriction if you go to iis website properties, well i couldn't figure it out untill today in windows 2008.

From Server Manager - Roles - Web Server (IIS) - Internet Information Service (IIS) Manager
click on your computer name - sites- Default Website - your site

on the right side you can see under IIS IP Address and Domain Restrictions - double click and open

click on Add Allow Entry and add the ip address to allow and also allow 127.0.0.1 if you are specifying <ipSecurity allowUnlisted="false" /> in applicationHost.config file

allowUnlisted - Specifies whether to allow unlisted IP addresses. Setting the allowUnlisted attribute to true allows an unlisted IP address to access the server. Setting the allowUnlisted attribute to false locks down the server, preventing access to all IP address unless they are listed. If you were to set this attribute to false and do not list the local loopback address (127.0.0.1) as an allowed IP address, you would not be able to access your server by using a browser from a local console.

This attribute can also affect delegation. If you were to set this attribute to false in a parent configuration, you would not be able use the <clear> element to clear this configuration in child configuration files.

The default value is true.

to set <ipSecurity allowUnlisted="false" /> . open notepad, then file open , \\windows\system32\inetsrv\config\applicationhost.config search for ipSecurity andchange the entry. save the file and now test it.

References:

http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity

http://forums.iis.net/t/1041077.aspx