A common application design is to place files that require authentication in a separate directory.
ASP.NET configuration files, this approach is easy. Just leave the default
settings in the
normal parent directory, and add a web.config file that specifies stricter settings in the secured
This web.config simply needs to deny anonymous users (all other settings and configuration
can be omitted).
Generally, setting file access permissions by directory is the cleanest and easiest approach.
also have the option of restricting specific files by adding tags to your web.config
The location tags sit outside the main tag and are nested directly in the base
tag, as shown here: