All the pages having _layouts before them are application pages. Pages created automatically for various views are called Form Pages. Most often with SharePoint implementation we allow users to access these pages. However we may further want to cut down access of users from the application pages and the form pages.
SharePoint allows this by enabling the feature “ViewFormPagesLockDown”. This feature is activated at the Site Collection scope. All groups / users not having the “View Application Pages” permission will not be able to navigate to pages like “_layouts/viewlsts.aspx” or “pages/forms/allitems.aspx”.
Below are the steps to block access from application pages:
- Identify users / group to restrict.
- Set their permission to "Restricted Read" or remove the "View Application Pages" from existing assigned permission level.
- Enable "ViewFormPagesLockDown" feature using the command - stsadm -o activatefeature -url "SiteCollectionURL"
-filename ViewFormPagesLockDown\feature.xml
The above steps will block all users not having "View Application Pages" permission from accessing the application pages and form pages.
