By default Sharepoint doesn’t blocks user with limited access from visiting application pages (for ex _layouts/viewlsts.aspx).
Someone who knows the URL, can go to this page.
We can avoid this by change the limited access to lockdown mode. Use the command below.
Action
|
Command
|
Turn on lockdown mode for a site collection
|
stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml
|
Turn off lockdown mode for a site collection
|
stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml
|
For more info on this visit http://technet.microsoft.com/en-us/library/cc263468(office.12).aspx#section6
Once locked down mode is enabled, groups/users with View Application pages will only be able to visit these pages. You can either select Restricted Read permission or remove View Application Pages permission for the users or groups which you want to block application pages.