One of the nice new features in IIS7 is the ability for administrators to lock and unlock configuration settings - both at a global level and also at a site specific level. This allows you to have scenarios like this:

1. Administrator locks a configuration section - say Authentication - Basic - at the global level. This means that none of the sites on that server can override this setting and change the authentication type.
2. Administrator locks a configuration section - say Default Document - for a particular site. Therefore that particular site will be unable to modify the default document
3. Administrator unlocks a configuration section - say the same as in (1) - for a particular site. That site therefore will be able to modify the setting and change the type of authentication

All this is done inside the main configuration files. The new IIS7 config file is found in \windows\system32\inetsrv\config\applicationHost.config. The global ASP.NET configuration file is found in \windows\Microsoft.net\Framework\v2.0.52707\config\Web.config.If you open these two files you will be able to find out what sections are locked or unlocked.

For instance, take a look at the following examples:

<location path="" overrideMode="Deny">
    <system.web>
        <membership>
            <providers />
        </membership>
    </system.web>
    <system.net>
        <mailSettings>
        </mailSettings>
    </system.net>
</location>

The overrideMode set to Deny ensures that no sites can override the membership and mailSettings sections in their own web.config files. The path attribute on line 1 can be set to "" (blank) or "." (period) to refer to the entire server.

<location path="MySite" overrideMode="Allow">
    <system.web>
        <membership>
            <providers />
        </membership>
    </system.web>
 </location>

In this section, the MySite site Allows the membership section to be overridden.

<location path="Site" overrideMode="Deny">
    <system.web>
        <machineKey />
    </system.web>
</location>

So how do you go about doing this? Well, simple actually. You can use the new appcmd tool to perform all of these. For instance:

appcmd lock config -section:system.web/membership

will lock the membership section of the configuration

appcmd unlock config -section:system.web/membership "MySite"

will unlock the membership section for only the MySite site

appcmd lock config -section:system.web/machinekey "MySite"

will lock the machinekey section for only the Mysite site

So how do you find out what are these section names? Well, you can open up the two config files mentioned above and browse through them. Or alternatively, you can get a full list of the section names using the following command:

appcmd lock config -section:?

This gives you list of all the section names/keys that you can use in the above commands.