You're on stage re: information leakage and This could be a significant thought for anybody rolling their own authentication/authorization scheme. +one for mentioning OWASP. php enabled IIS will seek to provide the directory listing, which will likely be disabled also. In that scenario even with anon access you'll get the http://pigpgs.com
