Inspired by the blog post by Ben Nadel about Simple Non-ColdFusion Document Security For Shared Hosting Environments, here is a simple solution for non-shared hosting (where you have control over IIS) 1. Setup a virtual directory in IIS 2. Go the the virtual directory properties and under the "main" tab click on the "Configuration" button 3. Add a application extension mapping for ".*" to be processed by the ColdFusion server: "C:\CFusionMX7\runtime\lib\wsconfig\1\jrun.dll" (or whatever your path to CF is) 4. Write some code in Application.cfc (or Application.cfm if you wish) to handle the security for each request.
Now all requests (html, doc, etc.) should be first handed to ColdFusion.
The pitfalls might be: 1. Not very scalable solution 2. Performance