I have a few applications running on 1 server, some applications should only be accessible by internal local user's while other applications can be access by anyone on the internet.
http://www.domain.com/APP1 - access internal user and internet user's http://www.domain.com/APP2 - access internal users only http://www.domain.com/APP3 - access internal users only
How do I configure IIS so that it would block internet user's from accessing some of my applications?
If the server has a NIC on a local network or VPN and you only want users on those networks to be able to access it, you can do this using IP address and domain name restrictions. Under the site Properties go to Directory Security -> IP address and domain name restrictions and follow the instructions in the linked KB article.
Assuming you are running your IIS instances on a AD connected server, then enable Windows Authentication on
APP2andAPP2.This will limit access to users who have a user account in your AD.
You could put AD auth as Richard suggested, but have you thought about putting your internal apps on an internal web/dns?
www.domain.com/app1 for your external www.domain.local/app2 and /app3 for your internal
Only list the .locals in your local DNS - and don't give it an external -> internal rule in your firewall. That way you don't have to even worry/think about what people outside your internal can do.
In the previous incarnation (IIS6), you could specify which IP's were allowed, and deny everything else, per site..
http://technet.microsoft.com/en-us/library/cc730889%28WS.10%29.aspx
Sort of shows how to do that on IIS7.. (not sure, don't have one lying around to test)
Assuming your users would be from the same subnets it should work...