Problem
At my current client we have an internal site and a publicly available external site. On our external site we also have FBA enabled and configured so that some of the content is locked down and only available through FBA Authentication.
We are not deploying security through content deployment, so I explicitly set security on the external site. We use the CQWP to rollup the information to landing pages so that the Public will see only a subset of what a FBA authenticated user will see.
Security trimming is working fine externally. However, in our testing our users kept getting to the content. It wasn't secure.
Security was set up, shouldn't that protect our information???? The CQWP was working and I could see security trimming working. I checked security and it was set up correctly. What was I missing? Very frustrating when you believe it will work out of the box.
Resolution
What it turned out to be was a setting that is enabled by default when Anonymous is enabled. On every list, library, and subsite, there is a setting called Anonymous Access. For lists and libraries, when you navigate to the object, click permissions on object and you will get the following screen:
The next screen presented is for subsites:
Or the following for lists:
Either way, the default is Enabled for Anonymous users to view the site.
The key here is: This setting supersedes the security you put on the list, library, or subsite. However it does not supersede item level security.
Stayed tuned for Part II – Frustration Mounts