What may be an unknown feature to some is the ability to control access to Web Applications via Policies in Central Administration. These policies are based on 'zones', and these zones can be applied to any Web application or extended Zone. For example, you could have
http://portal.trainsbydave.com as a fully collaborative portal with native security in place. You could then extend that Web application to:
http://portal-ext.trainsbydave.com and restrict any given number of permissions to it, but Full Control, Full Read, Deny Write, and Deny All are the default permission policies for Web applications.
So, you could have full access to portal.trainsbydave.com and limit that Web application to your Intranet. You could then publish portal-ext.trainsbydave.com externally, perhaps in a DMZ, and apply a different policy using a combination of zones+permission policies. Before you immediately add a new permission policy from Central Administration > Application Management > Policy for Web Application > Manage Permission Policy Levels, you should take some time to see what level of access the default permission levels actually define. You will most likely want to create a custom permission policy level.
New policies are most likely used and applied when you want to Extend and Map a new Web application. That is beyond the scope of this blog, but it essentially creates a new IIS Virtual Server (hence, another URL like http://portal-ext) that is associated with the same set of content databases as the original Web application. During this process, you have the ability to define a Zone. This zone has nothing to do with Internet Explorer, so don't cross those wires. This zone is simply a way for you to manage multiple authentication mechanisms and Web application zone policies.
To begin working with policies, browse to Central Administration, Application Management, Application Security, Policy for Web Application. First, never remove the NT AUTHORITY\LOCAL SERVICE account as it is used for caching on the WFEs. Second, the other default account(s) listed are Read Only policies for the default content access account used for crawling/search/indexing. Notice the Quick Launch on the left, note that this is where the default Anonymous access permission levels are set, but go ahead and open 'Manage Permission Policy'. You can modify the default policies, but that is generally a really bad idea. Select 'Add Permission Policy Level' to begin. From here, you can create a new permission policy defining a limitless combination of policies. Don't forget, after you create this policy you must still go back and attach it to a zone and set of users in the first screen.
A clever use of this could be to allow full collaborative access both on the internal (default) and external zones, but limit all mange list permissions to only the internal. This would force List management to occur on the Intranet or via VPN.
Ben Curry
Mindsharp