HOWTO: Allow file downloads (including .exe) on IIS 6.0

Variations of this question are asked of IIS 6 all the time. However, the answer is no different than for any other version of IIS other than the fact that IIS 6 gives you a distinct error code to troubleshoot. What is not clear to me is why users think that the newly introduced Web Service Extension concept has something to do with this misconfiguration... I hope someone can give me some rationale.

Question:

Hello,

What is the correct method to allow .exe files to be downloaded or run from a web site on an IIS 6.0 server?

I am currently receiving a 404.2 error message in my browser when I try to open/download the executable files, and I am not sure which Web Service Extensions configuration changes must be made to allow this.

Thanks in advance,

Answer:

Given the current phrasing of your question, there is no correct method. Downloading a .exe file is NOT the same as run from a website, as I will describe below. I'll give a short answer and then a more detailed answer.

Short Answer

Your error message indicates that you have "Scripts and Executables" enabled, so IIS is trying to execute the .exe file on the web server, and since the .exe is not allowed by any defined Web Service Extension, a 404.2 results. The corrective action depends on what you want to do.

  1. If you want to allow .exe files to be downloaded as-is to the browser, then you must NOT have "Scripts and Executables" as Execute Permissions.
  2. If you want to execute the .exe file on the server to generate a response that is sent to the browser (possibly interpreted as a download), then you MUST have "Scripts and Executables" as Execute Permissions, and you must enable a Web Service Extension for that .exe file.

Details

Whenever the user makes the browser request a resource like "https://server/myapp.exe", users usually want one of the following actions to happen:

  1. Return the file contents of myapp.exe as-is to the browser (aka file download)
  2. Execute myapp.exe on the web server to generate a dynamic response (aka execute CGI script)

Now, the web server controls which action should happen, and on IIS, this is controlled by the "Execute Permissions" property of the virtual directory containing the .exe file. If the permission is set to "Scripts and Executables", then IIS will do action #2. Otherwise, it will do action #1.

Prior to IIS 6.0, there were no further security checks against either action. On IIS 6.0, there is one additional security check, depending on the action:

  1. For action #1, the file resource's extension (.exe in this case) must have a defined MIME Type or else a 404.3 occurs. .exe has a MIME Type of  application/octet-stream by default, so file download should just work.
  2. For action #2, there must be an enabled Web Service Extension for the full path to the .exe resource to allow IIS to execute it to generate a HTTP response or else a 404.2 occurs. For securety reasons, IIS 6 does not allow any resource to execute by default unless otherwise configured/allowed in Web Service Extension.

//David