To protect a script in IIS, find the script file in the Explorer, revoke the anonymous user’s permission to read the script file, and grant the desired user or group permission. That’s not all, though. You also have to find the script file in the MMC, do right-click → Properties → File Security → Anonymous Access and Authentication Control → Edit, and uncheck Allow Anonymous Access. Otherwise, the anonymous user will try to read the script file in order to execute it, and that access will fail before any further authentication can occur.

Unlike Apache’s approach to access control, IIS’ can be file oriented as well as directory oriented. That means you can store differently authenticated scripts in a common directory. But you still can’t use a single script protected in this way to serve multiple docbases to different audiences. Conventional HTTP authentication, whether it’s applied to statically served files or to scripts that serve files dynamically, is an all-or-none game. Either you can see a file, or you can’t. Either you can run a script, or you can’t.