Sorry to hear about your frustrations. Is it possible for them to set the (virtual)directory as an application in IIS? if so, you can have your own web.config specifically for that directory, and the other one can be left alone.
other than that, I'd perhaps suggest a usercontrol that you drop on every page in that dir that would handle permissions(by session cookies or whatnot..)
It sounds like you're using virtual hosting. The only way to protect a directory is to use IIS (web.config won't work unless all your documents are passed through the ASPX ISAPI extension).
Unless your hosting company is willing to set up the password protection then there's not much you can do.
If all your files in that directory are just ASP or ASP pages you can do it by baking your own password protection scripts on each page.
Cany you just submit a request to 'computer services' to change the security settings on the folder?
>I am being asked to do is create a directory that is password protected
This makes no sense. Why not go back to client and bottom out te requirements before solving the problem - users, permissions etc.
At minimum yo need to have
<authentication mode="Forms" />
set in your web.config
Then you can create your own authentication cookie
on page load in every page you need to check if user is validated (SQL, Access )
if not set,redirect to login page where you can check if user exists in database.
If user exist and passoword matches set user cookie..
string UserID = GetUserID(username,password)//gets userid from db
tomasz, that only works for documents that are passed through the ASP.Net module. If he has zip files, graphics or anything other than an ASP.Net page that he wants hiding, then by defaut ASP.Net authentication won't work for those documents.
I had a similar situation on a host that had frontpage extensions enabled. Password protecting might have corrupted it. My solution was to link the link to this folder to an equivalent directory on another server where this was not an issue.
Why not put all your programs on a server where you have control on. So the address will say anotherdomain.com. As long as your program does what it should not many people will even notice the address until you tell them.
Just a brainstorm.
Another point is that if you have an index.* the contents won't be seen. In this case unless someone knows the exact file or directory name they won't be able to access it. In other words your file names would be kind of a password. Name them long and hard to guess.
Set the security to that folder only and have all of the NT creds pass down. They will be prompted to login before getting access to the files there. This only works if you are using domains i.e. intranet app. Don't totally know your situation...if you describe the setup and the business rules it would help.
It works for any site that disallows anonomous access, nothing to do with domains or intranets :)