For IIS 6.0:
- ASP.NET Forms authentication will only secure content that is processed by
the aspnet_isapi.dll (mainly .aspx files). If you need to replace other static file types (such as text files, video files, etc...), you can do that by mapping them to the aspnet_isapi.dll.
For IIS 7.0 (Integrated Pipeline mode):
- The default configuration for all managed modules shipped with IIS 7.0, including the Forms Authentication and URL Authorization modules, uses a precondition so that these modules only apply to content that an (ASP.NET) handler manages. This is done for backwards compatibility reasons. (as mentioned in For IIS 6.0 section)
- By removing the precondition, we make the desired managed module execute for all requests to the application, regardless of content. This is necessary in order to protect our static files, and any other application content with Forms-based authentication.
- To do this, open the application's web.config file located in the %systemdrive%\inetpub\wwwroot directory, and paste the following lines immediately below the first <configuration> element:
3: <remove name="FormsAuthenticationModule" />
4: <add name="FormsAuthenticationModule"
5: type="System.Web.Security.FormsAuthenticationModule" />
6: <remove name="UrlAuthorization" />
7: <add name="UrlAuthorization"
8: type="System.Web.Security.UrlAuthorizationModule" />
9: <remove name="DefaultAuthentication" />
10: <add name="DefaultAuthentication"
11: type="System.Web.Security.DefaultAuthenticationModule" />
This configuration re-adds the module elements without the precondition, enabling them to execute for all requests to the application.
Check this article for more explanation http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/
Hope it helps.