When a query is issued for a directory with scripts in it, part of the actual code can be revealed in the hit highlighting that is returned. To control the kind of script file to make available to searches, you can set a new global registry parameter. Depending on the setting, you can allow clients to see none of the contents in script files, the contents only in files written with scripts that have recognized filters, such as the HTML filter for .asp files. For details, see WebhitsDisplayScript on the Main Registry Parameters page.
Note Hit highlighting displays only the HTML portion of script files. No raw code is returned.
To fully protect the contents of your script files, make sure the directory where they are stored has either Script or Execute permission, but not Read permission.