401.3, you say? Not 403?

You're running an IIS 6.0 website, and you have a virtual directory configured for anonymous authentication only (that is, you've unticked Integrated Windows Authentication).

Using a web browser, you try to access a file in that virtual directory. https://example.com/vdir/something.txt

What's a web browser?

Know what IE is, Leon?

Yeah.

Same thing.

I've never seen an IE. But I know what you mean.

Anyway, the something.txt file is ACLd such that the anonymous user account (IUSR_MACHINENAME) doesn't have any NTFS permissions to it. IIS impersonates the anonymous user for any anonymous request, and if it's knocked back, it 401s the client with a WWW-Authenticate header describing the types of authentication supported.

Now IIS needs to ask for some kind of credential, but the only authentication method ticked is Anonymous. So IIS can't ask for credentials. It can't 401 with a WWW-Authenticate header because it's got nothing to put in it. It won't send a 403 because it hasn't yet made a good-faith attempt to impersonate a user other than Anonymous.

But you haven't configured it to ask for credentials. You could tick Integrated Windows and make the pain go away. Or you could allow the Internet Guest Account (at least) Read access to the file. But you're not doing that, Leon.

Why is that, Leon?

Do you make these questions up yourself, or do you have them written down for you?

Actually, people come to me with questions all the time, and I sometimes write them down. 

Like this one: tell me only the good things that come to your mind, about... Personal Web Server on Windows 95.

Personal Web Server? Let me tell you about Personal Web Server...