Directory browsing allows visitors to see a list of files and folders in a directory when no default document (such as index.html) exists. This guide covers how to enable or disable it in IIS using web.config, IIS Manager, and PowerShell.
Security warning: Directory browsing should be disabled on all production websites. Leaving it enabled exposes your file and folder structure to anyone who visits a directory without a default document, which can reveal sensitive paths, configuration files, and application structure. Only enable it intentionally for specific directories that require it, and disable it globally for everything else.
Where to find or create your web.config file
The web.config file lives in the root of your website or the specific directory you want to configure. On a Host Media Windows server it will typically be at:
C:\inetpub\wwwroot\yourdomain.com\web.configIf a web.config file does not already exist in the directory, create a new text file, name it web.config, and paste the relevant configuration from the examples below.
Disabling directory browsing globally (recommended first step)
Paste this into your root web.config to disable directory browsing for the entire site:
<configuration>
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
</configuration>Enabling directory browsing for a specific directory
If you need browsing enabled for one particular directory but not the rest of the site, use a location tag to scope the setting. Create or edit the web.config in your site root:
<configuration>
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
<location path="downloads">
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</location>
</configuration>Replace downloads with the name of the folder you want to expose. This disables browsing globally while enabling it only for the specified directory.
Enabling directory browsing for the entire site
If you intentionally need browsing enabled across the whole site, omit the location tag:
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>Controlling what is displayed when browsing is enabled
You can control which columns appear in the directory listing using the showFlags attribute:
<configuration>
<system.webServer>
<directoryBrowse enabled="true"
showFlags="Date, Time, Size, Extension, LongDate" />
</system.webServer>
</configuration>Available flags: Date, Time, Size, Extension, LongDate. Combine them with commas to show multiple columns.
Method 2: IIS Manager (GUI)
If you prefer not to edit XML directly, you can manage directory browsing through the IIS Manager interface:
- Open IIS Manager (search for it in the Start menu, or run
inetmgr). - In the left panel, expand the server and find your site. Click on the site or the specific directory you want to configure.
- In the centre panel, double-click Directory Browsing.
- In the right panel (Actions), click Enable or Disable.
- The change takes effect immediately with no restart required.
Method 3: PowerShell
For scripting or remote management, use PowerShell to enable or disable directory browsing:
Disable for a specific site
Import-Module WebAdministration
Set-WebConfigurationProperty -Filter /system.webServer/directoryBrowse `
-Name enabled -Value $false `
-PSPath "IIS:\Sites\YourSiteName"Enable for a specific site
Import-Module WebAdministration
Set-WebConfigurationProperty -Filter /system.webServer/directoryBrowse `
-Name enabled -Value $true `
-PSPath "IIS:\Sites\YourSiteName"Disable globally for all sites on the server
Import-Module WebAdministration
Set-WebConfigurationProperty -Filter /system.webServer/directoryBrowse `
-Name enabled -Value $false `
-PSPath "IIS:\"Replace YourSiteName with the exact site name as it appears in IIS Manager.
Troubleshooting
The change is not taking effect
Check whether a parent-level web.config or a server-level IIS setting is overriding your configuration. IIS applies settings hierarchically, with server-level settings taking precedence over site-level ones, and site-level over directory-level. Use IIS Manager and check the Directory Browsing setting at each level to identify where a conflicting rule may exist.
403 Forbidden error instead of a directory listing
A 403 when directory browsing is enabled usually means the IIS Directory Browsing feature is not installed at the server level. In Server Manager, go to Add Roles and Features → Web Server (IIS) → Common HTTP Features and ensure Directory Browsing is ticked.
The web.config changes are being ignored
Ensure the application pool running your site has permission to read the web.config file, and check that the allowOverride setting in the server's applicationHost.config is not locking the directoryBrowse configuration section for your site.
