Security and Server.Transfer method
When we work with restrict access in determined pages/sections of the ASP.NET Web Application, we must worry with the use of the Transfer method, localized in HttpServerUtility class.
Imagine that the users with minimum privileges haven’t permissions for a page because they don´t belong in Administrators role. Put a button in page that all users have access and via Transfer method; it will call the restrict page. Run the application and click in button. You'll see that the user will access the page independently if he have or not access for it.
This happens because the authentication and authorization process isn't executed when the Transfer method is called. The process already happened when the user requested the resource (page) in browser.
There are two ways to resolve this problem: one is call the Redirect method instead of Transfer. This will force a client/browser request, so the authentication and authorization process re-run. A second way is to continue using the Transfer method and in the destination page to validate the user through IsInRole method and check if he have permissions for access the resource.