I was working in one of the projects where our client requested to allow clean URL  which contains ampersand symbol (&). The website is powered by our inhouse CMS which allow generation of clean URL (without file extensions) by page.

While it is not a good practise (at all) to allow ampersand (and other special characters) in the URL, there are some situations where you just have to work around it and accept those URL (e.g. the URL was previously created and the URL was widely spreaded).

By default, IIS will block URL requests containing special characters (%, &, :, *) for security concerns, throwing error “400 Bad Request” (or simply “Bad Request” for some cases).

The workaround is rather simple, just following the following steps. Be extra careful as it involves changes in your registry

1. Set “AllowRestrictedChars” to 1 (http://support.microsoft.com/kb/820129)
2. Set “VerificationCompatibility” to 1 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;826437) – yes, it applies to ASP.NET frameworks other than 1.1
3. If you are running on Windows 64-bit version, you may also want to set “VerificationCompatibility” to 1 (Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET)
4. And if all the above does not help, you may want to try to set “<Page ValidateRequest=false>” on your website’s web.config

Do note that for step 1 and 2, you’ll need to restart IIS and/or HTTP related services, so you may want to follow the steps closely.

Hopefully it will help those who had the same problem as I did.