Path traversal, access server files directory from url browser bar, web App build in ASP.NET 2.0

Question

I have a old project running designed with ASP.NET 2.0, , written VB 9.0 with IIS 8.0 After the user logged in, through browser's URL bar, a user can access server's files and download them.

One operation of this web app is give permission to a user to download from a unique Route (folder in the C, Server) some files or folders.

More specifically:

when at home page: https://xx.xx.xx.xx./My_app/operations/home.aspx

if a user types: https://xx.xx.xx.xx/My_app/operations/ManageFiles/FileDownload.aspx?filename=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\System32\drivers\etc\hosts

then has access and downloads the file.

Also, this pop up is running through JavaScript: operations/ManageFiles/FileDownload.aspx?

After searching the web I have tried different approaches.

-Rewrite inbound rules in IIS manager

-Adding in web config: required validation=true in System.Web

-Adding JavaScript code in the above file which includes the pop up:

`if (user_input.indexOf('\0') !== -1) {
return respond('Access denied');
}`

-Adding validation code in Visual Basic:

    ' 
    Dim path2 As String = Request.QueryString("filename")
    
    First Validation
    If path2.IndexOfAny(Path.GetInvalidFileNameChars()) > -1 Then
        Throw New FileNotFoundException(“Error”)
    End If

    ' Second Validation
    If path2.IndexOf(Chr(0)) <> -1 Then
        Throw New ApplicationException("Access Denied")
    End If

    ' Third Validation
    If String.IsNullOrEmpty(path2) Then
        Throw New ApplicationException("Error, something is wrong...")
    Else
        ' Url decode to reveal encoded attempts e.g. '%2f' (/) or '%2e%2e%2f' (../)
        Dim decodedPath As String = HttpUtility.UrlDecode(path2)

        Try
            If decodedPath.Contains("/") Then
                Throw New Exception()
            End If

            If decodedPath.Contains("\") Then
                Throw New Exception()
            End If

            If decodedPath.Contains("$") Then
                Throw New Exception()
            End If

            If decodedPath.Contains("..") Then
                Throw New Exception()
            End If

            If decodedPath.Contains("?") Then
                Throw New Exception()
            End If
        Catch ex As Exception
            Throw New Exception()
        End Try
    End If`

None of these above attempts have worked for me and the user still has access in sensitive files.

I cannot manage to identify, where to add validation in the project and if the above potential solutions are effective or not. I need your recommendations.

Thank you in advance.