When you create a remote virtual directory through Internet Information Server, you set up and user ID and password. Queries to that virtual directory are specified in the context of the user ID and password assigned to the directory. Although a user cannot open a file on that directory with an application, the user can send a query and see the contents of the file in the results. For more information, see Remote Virtual Roots.
To guard against this potential security violation, put all your virtual directories on the local computer rather than on remote computers.