When configuring your website it is sometimes necessary to include information in the web.config file that you don’t want others to see.  I’m not even talking about usernames and passwords, since IIS6 allows you to configure a website to run in under an application pool using specific user credentials.  I am talking more specifically about application settings and database connection strings. 

If you must place sensitive information into the web.config file than you have a couple of options:  First you can come up with some crafty encryption methods to read and write the contents of your web.config file (bad idea).  Second you can leverage the aspnet_regiis.exe command line tool to encrypt the sections of your web.config file (good idea).  Last, leverage some new features in the .NET 2.0 to encrypt the web.config programatically…

I wanted to make life easier on myself so I borrowed some code from other people and came up with an interface page that can perform the changes to the web.config using an .aspx file.  You are welcome to download the EncDecWebConfig.zip file if you would like and see if they will work for you.