Update: The below “solution” should not be considered as it creates invalid URLs. All ampersands should be encoded as “%26″, see Bill’s comments from Nov. 11, 2010. This was just meant as a quick-fix-short-term-workaround as these URLs were supported in IIS 6. There’s a reason why IIS 7 and above don’t support them.
With the arrival of ASP.NET MVC and the complementary IIS7 file-extension-less request pipeline it’s finally possible to turn ugly “classic ASP.NET” query string URLs into pretty and orderly REST-style URLs, functionality that PHP had for ages. Out with http://mysite.com/catalog.aspx?category=1&product=100, here comes the more pleasing http://mysite.com/widgets&gadgets/the-useful-&-beautiful-widget
However, the ampersand in the latter will generate a “400 Bad Request” response with the default settings in IIS 7 because the ampersand (&) is not acceptable in the request for security reasons. As discussed here, it takes two measures to fix this and make the URL (I did not have to take the third measure quoted in the post, which is setting ValidateRequest=”false” in the ASP.NET MVC view page):
- AllowRestrictedChars http://support.microsoft.com/kb/820129
- Interestingly enough, enable VerificationCompatibility (http://support.microsoft.com/default.aspx?scid=kb;EN-US;826437), a measure designed for pre-SP1 ASP.NET 1.1, but necessary here even with ASP.NET 3.5 to get the ampersand URLs working.
Hope it helps.