5.The login prompt is a good place to perform a brute-force attack (whether it shows up in the Event Log or triggers account lockouts, I have not yet tested). Another related fact is that in order to connect to a WebFolder, FrontPage requires that the author's account have the ability to log on locally. So if you do connect to a WebFolder you will be locally logged on to that server (something to think about);
6.The permissions you have as the web author will normally be greater than those given to IUSR_MACHINE;
7.Passwords are often stored in global.asa and other files which may be used to attack other servers;
8.Most people do not realize that they are vulnerable since a default FrontPage installation does not implement any security restrictions and many people do not understand how to setup FrontPage security.

The "majority" of participants here either have their own servers or are utilizing hosted sites.
Both primarily use Apache.
There's rarely any discussion here of FP.

Items 5 thru 8 would have us believe that all servers are vulnerable and simply NOT SO!

That a visitor to a website could cirumvent log in and passwords just because they have FP installed on the local machine is a bit far-fetched.

Additionally most everybody here has vti_bin lines denied access. Many folks believed initially that vti was a virus as opposed to FP or somebody using Word as a browser.

Don

your saying to deny access to that vti_bin would remedy this?