CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Parent paths are paths that access folders located above the current folder. Enabling parent paths allows application code to access folders above the current folder.
When you enable parent paths, you specify that an ASP page should allows paths relative to the current directory (using the ../ notation). Parent paths are no longer enabled by default. This affects your application if it has a web page that contains the #include server-side include directive and uses .. notation to refer to a parent directory. Enabling parent paths corresponds to the metabase setting AspEnableParentPaths.
Enabling parent paths becomes a problem if the application navigates so far up the folder hierarchy that it is now outside the web root. For example, assume you have two web applications maintained by two different users, located in c:\inetpub\application1\ and c:\inetpub\_application2\.
If parent paths are allowed, then a malicious coder could enter the following:
Response.Write(Server.MapPath("../application2/default.asp"))in order to get the physical path to the default.asp page located in application2 (the ../ syntax tells the code to move up one folder). This physical path could then be used by the file system object to open the default.asp page and stream the source code back to the malicious user.
By default, parent paths are disabled in IIS 6.0. This prevents ASP code and include directives from using the ../ syntax to move up a folder from the current folder. If an application requires parent paths to be enabled, perform the following steps:
Open...