This may be a known issue - but I'm serving 50+ IIS websites using a single IP and multiple unique host headers on an IIS6/Windows 2003 Server.
Problem is with monitoring. If a particular site goes down or is STOPPED, the HTTP monitor still reports the site is UP -- I'm assuming because the request just falls to the next site 'in line' or maybe the first site that can serve the request. So site A will see site B's content.
This not only affect monitoring, but can allow one customer to see another customer's login screen! Is there any way -- aside from giving each site a unique IP address that I can stop this from happening? I read this related question, and still don't know how to resolve. I want Site A to actually be DOWN when I stop the site -- not just fall back to another site.
UPDATE: Site also uses SSL, but no host header shows in the UI.
Stopping websites... what did you want to happen?
The fall-through behaviour is probably this:
if there's a site binding which is a specific match, show that site
if not, if there's a less specific site binding which still matches, show that site
if not, show nothing
I don't know which HTTP monitor or how it works, so I'm focusing on the browser behaviour you describe involving "the wrong logon page".
I expect:
If all your sites have host headers, I'd expect this issue to go away, it'll behave broadly how you'd expect (404 or 5XX response when requesting a disabled site).
But if any site binding includes a non-host-headered IP address, and no host header, that'll be the "default" site for that IP address, and the request will fall through to it.
This gets easier in IIS 8+ with Server Name Indication allowing specific SSL bindings, but it's still a variation on the same principle - if no names match specifically but the IP is correct, you get the IP binding.