When using ASP include files, it is usually better to use
the .asp file extension rather than .inc. This is because many IIS web servers
do not recognize that the .inc files contain ASP content. Although it is
possible to associate files with .inc file extensions with the ASP interpreter
via the Application Mappings settings within IIS, not many websites are
configured to do this.
If IIS is not aware of .inc files containing ASP, then HTTP
requests for them will be returned to the client as plain text. This does of
course mean that the source code in the file will be viewable by anyone. This
is a particular hazard if there is sensitive data contained within them, such
as passwords or database connection strings.
Although it is possible that your .inc files may go
unnoticed, there are several methods by which they may get discovered.
A malicious user may come across them if they are in a
sub-folder with a guessable name (such as "includes") and the folder
has directory browsing switched on. Turning off directory browsing will help
alleviate this issue.
An ASP error on a page using the include file will show the
path to the include file if the error was encountered in that include file. Turning
off ASP errors will avoid this issue.
The other advantage of this is that file editors, such as
Visual InterDev, will automatically recognize the file as containing ASP code
and will syntax highlight and color code the source code appropriately.