First off - I am running Moodle 9 with IIS 7 and MS SQL 2008. My MoodleData folder is not accessible form the web. I think the permissions are set corectly.
We have Kiosk systems in certain places in our school. They are logged in with a low-privaledge account. Here's the problem
user A accesses our Moodle site and then accesses uploaded files in a course (say a PDF documents) then log outs of Moodle.
user B then logs into moodle on same machine (same machine user account - different moodle account or no moodle account) - if user B is savvy he can access the PDF file that user A access becuase (my guess) there is a cookie that allows him to pull it up with out having to log in if he knows the direct link (which is in the history of the browser). I understand I can disable history, and do other tweaks to the system to make cookies delete on browser close, etc. but that doesn't keep this from happening on machines outside of my domain.
Is there a way to keep this from happening?