All the great security features in ASP.NET do not really help you when you look at your older classic ASP applications. Although forms authentication and URL authorization have been around since the ASP.NET 1.0 days, these features have not been of any use in the ASP world. With the introduction of the Membership and Role Manager features in ASP.NET 2.0, you had even more authentication and authorization functionality built into ASP.NET, which ASP.NET 3.5 continues to support. But again, it seems like that functionality is orphaned in the ASP.NET world and never made it over to the world of classic ASP.
Why attempt to bring the ASP.NET and classic ASP worlds together? In terms of sheer volume of code written, the majority of web applications out there are still running on classic ASP. Even if you surf around Microsoft's own sites, such as the MSDN online library and various links and subsites of www.microsoft.com, you still encounter a lot of classic ASP pages.
In ASP.NET 2.0 a number of small changes were made in some admittedly esoteric aspects of the runtime to make it possible to more tightly integrate ASP.NET and classic ASP. These changes also rely on modifications made earlier to IIS 6 around handling for ISAPI extensions. Both of these changes taken together make it possible to wrap classic ASP sites inside of ASP.NET.
With the release of ASP.NET 3.5 and IIS 7.0, the integration between ASP.NET and classic ASP is ...