Locking Configuration Settings
By default, configuration files located in subdirectories override and extend all configuration settings defined in parent configuration files. In application hosting scenarios, administrators often want to lock or make some settings on a site unchangeable to prevent modification. For example, an administrator might want to lock the sandbox security settings for hosted applications to reduce the risk of attacks on the system.
Administrators can lock configuration settings by adding an allowOverride="false" attribute to a <location> directive. This tells the configuration system to throw an error if a lower-level configuration file attempts to override any configuration section defined within this locked <location> directive.
The following example configuration file (which could be stored at either the main system level or at the site level) locks the trust level of two different ASP.NET applications (application1 and application2). Other possible locking attributes to use are lockItem, lockAttributes, lockElements, and so on. For more information, see General Attributes Inherited by Section Elements.
<configuration> <location path="application1" allowOverride="false"> <system.web> <trust level="High"/> </system.web> </location> <location path="application2" allowOverride="false"> <system.web> <trust level="Medium"/> </system.web> </location> </configuration>
Any attempt to use the configuration settings in the following code example to override the configuration settings in the preceding code example would generate a configuration system error.
<configuration> <system.web> <trust level="Full"/> </system.web> </configuration>