After deploying updated static files (CSS, JS, images) to a Sitecore 6.3.1 website running on IIS 7.5 (Windows Server 2008 R2), all requests to these resources began returning HTTP 401.3 errors. The files were copied to C:\Inetpub\wwwroot\(website name)\Website\static from a ZIP archive provided by our frontend team.

First, I verified that:

• The application pool identity was set to use IUSR for anonymous authentication
• The ACLs matched working files in the same directory structure
• Permissions were properly inherited from parent directories

Here's how I checked the effective permissions using PowerShell:

# Check effective permissions for IUSR
$path = "C:\Inetpub\wwwroot\(website name)\Website\static"
$user = "IUSR"
$acl = Get-Acl $path
$accessRules = $acl.Access | Where-Object { $_.IdentityReference -like "*$user*" }
$accessRules | Format-Table IdentityReference, FileSystemRights, AccessControlType, IsInherited -AutoSize

After exhausting standard permission checks, I discovered the files copied from the ZIP archive had different ownership than the working files. The working files were owned by the local Administrators group, while the new files were owned by the developer's domain account.

This PowerShell snippet helped identify the issue:

# Compare ownership between working and broken files
Get-Acl "C:\Inetpub\wwwroot\(website name)\Website\default.css" | Select-Object Owner
Get-Acl "C:\Inetpub\wwwroot\(website name)\Website\static\main.css" | Select-Object Owner

Here's the complete fix I implemented:

1. Take ownership of all static files:

# Take ownership recursively
takeown /f "C:\Inetpub\wwwroot\(website name)\Website\static" /r /d y

2. Reset permissions using icacls:

# Reset permissions to match parent directory
icacls "C:\Inetpub\wwwroot\(website name)\Website\static" /reset /t /c /q

3. Grant explicit permissions to IUSR:

# Grant read/execute to IUSR
icacls "C:\Inetpub\wwwroot\(website name)\Website\static" /grant "IUSR:(RX)" /t /c /q

For Sitecore environments, you might also need to:

• Check the web.config for any special static file handlers
• Verify the static files aren't being processed by any Sitecore pipelines
• Ensure the static folder isn't protected by any request filtering rules

Here's an example of checking request filtering settings:

# Check IIS request filtering configuration
Import-Module WebAdministration
Get-WebConfigurationProperty -Filter "/system.webServer/security/requestFiltering" -PSPath "IIS:\" -Location "(website name)" -Name *

When working with IIS and Sitecore 6.3.1, encountering 401.3 errors after deploying static assets can be particularly frustrating. The scenario typically occurs when:

• Files are copied from a ZIP archive (losing inherited permissions)
• The application pool identity lacks proper access
• Special Sitecore security configurations interfere

Standard ACL checks might not reveal the complete picture. Try this PowerShell command to verify effective permissions:

Get-Acl "C:\Inetpub\wwwroot\(website name)\Website\static" | 
Format-List -Property AccessToString

Compare this with working files using:

Get-Acl "C:\Inetpub\wwwroot\(website name)\Website\default.css" | 
Format-List -Property AccessToString

Standard inheritance fixes often fail. Try this comprehensive approach:

# Remove all explicit permissions
icacls "C:\Inetpub\wwwroot\(website name)\Website\static" /reset

# Re-establish inheritance
icacls "C:\Inetpub\wwwroot\(website name)\Website\static" /inheritance:e

# Grant minimal required permissions
icacls "C:\Inetpub\wwwroot\(website name)\Website\static" /grant "IUSR:(OI)(CI)(R)"
icacls "C:\Inetpub\wwwroot\(website name)\Website\static" /grant "IIS_IUSRS:(OI)(CI)(R)"

Sitecore 6.3.1 has some unique behaviors with static content:

• Check web.config for any <location> tags restricting the /static path
• Verify no Sitecore pipelines are interfering with static content
• Examine any custom httpModules that might intercept requests

If your app pool uses Network Service, try this permission modification:

icacls "C:\Inetpub\wwwroot\(website name)\Website\static" /grant "NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(R)"

In IIS Manager:

1. Navigate to your site's Handler Mappings
2. Check if StaticFile handler is enabled
3. Verify it's not being overridden for your path

Create a test.html file in your static directory with this content:

<html>
<body>
    <h1>Static Content Test</h1>
    <p>If you see this, permissions are correct</p>
</body>
</html>

Attempt to access it directly via browser to isolate the issue.