If you use LDAP or Single-Sign On authentication for your Content Manager Explorer, you can remove the Windows Users group and then ensure the following is set on the /TRIDION_HOME/web directory permissions:
IUSR IIS_IUSR
Give the above built-in users read access to the directory in question. This will work since the authentication in a SSO/LDAP setup is Anonymous for the CME site in IIS.
But a Windows Authentication setup for the Content Manager Explorer will not work with the above setup with the USERS group removed. The core IIS modules require file system access for Windows Authentication to work.
The recommended solution to remediate this security requirement would be to move to LDAP/SSO authentication if not already and implement the above rights changes on the CME directory. |