Some simple ASP security tips

Any regular ASP code will not be visible to the client because it is processed server side, with only the HTML output visible as source to the user.

You should also rename any *.inc files you may be using (that feature "<% 'asp code %>") to *.asp so anyone who tries to open these files from their browser will not get the true source because the server will try to process them as asp files and output accordingly (an .inc file will show up fully just as a .txt would).

If you have virtual directories for all your images, include files etc (eg. /images or /include), then to stop anyone having a full list of those directories' contents (and therefore full download access to all your files) simply stick an index.htm or default.htm file in there.

This file could be a blank page or contain a message, but it will automatically load when someone tries to access a "library" directory.

You can hide any client side script by using something along the lines of:

<script language="VBScript" src="file.vbs" type="text/vbscript"></script>

The code will not show in the HTML source. However, it can still be downloaded if the user goes to its address. The files could be encrypted though.