This PR adds logic to get-image.aspx and get-rdp.aspx that requires the currently authenticated user to have access to the rdp/icon file for it to be served. Since all users have read access to C:\inetpub by default, all RDP and image files will also be available to any user by default. RAWeb installations that use anonymous authentication are also supported (as long as the IUSR user can access the RDP/image files). With this PR, the multiuser permisisons functionality described in the wiki is restored.

This PR also modifies the setup script to remove anonymous authentication on the resources and multuser-resources folders. To prevent access to restricted resources, resources should only be accessible via get-image.aspx and get-rdp.aspx.

Tested webfeed scenarios

• Deny access to an RDP file
• Deny access to an icon
• Deny access to a dark mode icon
• Deny access to the entire resources folder
• Deny access to entire folder inside of resources
• Deny access to the entire multiuser-resources folder
• Deny a user access to their folder in multiuser-resources/users
• Deny a user access to a subfolder of their folder in multiuser-resources/users
• Deny a user access to group folder in multiuser-resources/groups
• Deny a user access to a subfolder of a group folder in multiuser-resources/group

Tested clients

• Web app (RAWeb)
• Windows RADC
• Andoid client