I have the exact same problem described in https://forums.adobe.com/message/5653666#expires_in=86399993&token_type=bearer&access_token=eyJhbGci...
I just migrated to Windows 2008 server IIS 7.5 with ColdFusion 11 installed. We have a public(intranet) site where there are subfolders with restricted access (Windows Authentication, Basic Authentication) and various local groups that contain domain user accounts having access to these subfolders.
Static files such as html, jpeg , root folder '/' would a) check if the person is authenticated b) if the user has access read access to the files. ColdFusion files are the exception to the rule where it would bypass/ignore folder/file permissions.
In IIS 6, this problem is solved by checking off the 'Verify that file exists' checkbox for the wildcard jrun_iis6_wildcard.dll in the Application's Configuration Extension Mapping. Unfortunately I can't find the solution to this problem in IIS 7+. I can't believe this is still a problem. I searched the web and Adobe forums but couldn't find anything that helped.
I have spent several days playing with IIS settings including changing the Pipeline modes (Classic and Integrated), copying over the wild card jrun_iis6_wildcard.dll from ColdFusion 7MX (the old server) and invoking this wildcard handler only if request is mapped to file or folder for the application and the jarkata virtual directory, creating my own custom HTTP Managed handler in Csharp, changing the provider to NTLM etc.
I'm new to IIS 7+ so this was quite the learning curve.
Ultimately it didn't make any difference. The coldfusion files will authenticate to the Domain/Server(for basic authentication) but won't check the folder/file permission to see if the authenticated user has access to read/write the cfm files. The custom handler simply ignored the coldfusion files where as the handler would work for the static files.
Which makes me wonder if IIS authentication works at all for Coldfusion files. I tried looking at creating a coldfusion template that checks if the authenticated user has read/write permission(s) to the coldfusion file but I'm not able to find a coldfusion function that lists file/folder ACLs per user.
Any help would be greatly appreciated.
Have you checked the IIS logs to see if the username is being captured for the CFM files?