My client must pass a "simplified" PCI compliance scan required by his bank even though his store transactions are handled by a third party site (paypal and authorize.net).
The site is failing the scan due to a file called domainsponsor_ad_frame.html (must be server based as I don't have anything like that in the site itself) until I can remove it (unlikely because I think it is system wide) or block it I can't pass the scan.

(see if you have it by putting in yourdomain.com/domainsponsor_ad_frame.html
If you get a white page you have it too.

Any ideas?

Try this: Login to cPanel. Find the "404 Settings" link. Choose to disable ads from appearing in 404 pages.

djmatt - that won't work. There's another thread about this where I have tried various ways to disable that page.

http://www.bluehostforum.com/showthread.php?24204-domainsponsor_ad_frame-html

As it turns out, it's a system level page put there by Bluehost and CANNOT be over-ridden - even by creating a file by the same name.

We (me and one other person) have brought this to the attention of a Bluehost admin last week. The last we heard is that it is being addressed, but as of today it still exists.

Can't test it myself, but I know cpanel has an "error pages" editor that basically just edits the shtml error documents under public_html. You should be able to replace whatever they have with something else.

If that doesn't work, you can set the path of any error document in an htaccess file like

ErrorDocument 404 /notfound.php

This is only for setting the page visitors get sent to when they try to access a file that doesn't exist, it won't stop you from accessing the file directly, since it sounds like it's a server file. However, without any references to it, it shouldn't ever be accessed.

It may be possible to use a rewriterule to prevent that file from being accessed at all, but if it's a server file that seems unlikely, since your own htaccess file will probably be bypassed.

I feel I should point out that because of the way the DNS is mapped it's actually possible to access any website hosted on your box from any domain pointing at it. If you know another user's username you could take your domain name and put /~username/ after it and access a completely separate website, just like the temporary urls.