By default Sharepoint doesn’t blocks user with limited access from visiting application pages (for ex _layouts/viewlsts.aspx).

Someone who knows the URL, can go to this page.

 We can avoid this by change the limited access to lockdown mode. Use the command below.




Turn on lockdown mode for a site collection

stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml

Turn off lockdown mode for a site collection

stsadm -o deactivatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml

For more info on this visit 


 Once locked down mode is enabled, groups/users with View Application pages will only be able to visit these pages. You can either select Restricted Read permission or remove View Application Pages permission for the users or groups which you want to block application pages.