In many places in msdn documentation you can find references to App_Data directory. For example here we can read:
To improve security when using a local data file in an ASP.NET application, you should store the data file in the App_Data directory.
and
Files stored in the App_Data directory will not be served to the Web.
I could not find a direct reference that would specify how is that security guaranteed. Are there any IIS settings etc. that I should watch out to ensure that the files we put in the App_Data directory suddenly do not become available to everyone.
The files are protected by a forbidden file handler. That is safe so long as everything is running. There are possibilities that the ASP.NET handlers can go down leaving only IIS running. In those cases your web.config files and aspx files will be served as straight text files.
If you data isn’t really sensitive, it is a good place to store data. If you have highly sensitive data, store it on another machine.
Edit: More information You can read more about forbidden file handlers here http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx. Scrolling down you will notice there is an entry in the ‘root web.config’ file for mdfs. You can typically find this file on your machine at C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
I couldn’t find too much info about bringing down asp.net while still leaving iis running, but if you google around for terms like ‘asks to download aspx’ or something like that you can find reports of people having issues (typically asp.net not being configured properly) which would allow for an exploit to occur. I haven’t seen it happen very much, but it is possible.