You are correct in that using Windows built in security is really the easiest and one of the more secure methods to secure access to parts of a website. Of course, this is usually only an option if you have control of the whole server -- that is, you have the ability to turn off anonymous access to your website and to add windows users to the server.
First thing you have to do is create your users as Windows users (or domain users). Then, fire up IIS Manager, right click your website, select Properties, click the Directory Security tab, click the Edit button near the top, then uncheck the Anonymous Access checkbox. IIS will default to the least common denominator so if you enable anonymous access, you will always get anonymous access -- even when the user is an authenticated member of the domain. (IIS defaults to least common denominator.)
Once you have this setup, create an ASP page with this code:
Code:
<style>
body {
background-color:black;
}
td {
font-family:Verdana;
font-size:8pt;
}
.label {
background-color:whitesmoke;
}
.field {
background-color:gainsboro;
}
</style>
<table>
<%
for each item in Request.ServerVariables
Response.Write("<tr>" & _
"<td class=label align=right valign=top>" & item & "</td>" & _
"<td class=field valign=top>" & Request.ServerVariables(item) & "</td>" & _
"</tr>" & vbcrlf)
next
%>
</table>
Run it and notice this value - AUTH_USER. It will give you the user's account name.
Code:
username = Request.ServerVariables("AUTH_USER")
You don't need to think about verifying passwords because Windows already handled that for you. If the user hits your page, you know they are authenticated already.
Nice thing about this security model is that ALL files are protected -- not just script files.