Protecting non-ASP.NET files
In 1.x version of the ASP.NET, there is a problem when we request the files non-ASP.NET that are "protected" by Forms Authentication. The problem is that resources not pass by ASP.NET authentication and authorization modules, so independent of Web.Config's settings, the protected resource always will be visible for all users, also anonymous users.
The solution for this is to map the protected file (extension) using the HttpForbiddenHandler handler in Web.Config file of the application or configuring the IIS directly, like I show on this post. But these solutions are very complicated, because in the first case the ASP.NET runtime will serve all requests, so the performance degrades. The second solution maybe is impossible because the hosting service doesn't allow to configuring them server.
The ASP.NET 2.0 solved this problem adding a new handler called DefaultHttpHandler (for verbs: GET, HEAD and POST). This handler is performed for all non-ASP.NET files (like images, *.htm, *.asp, etc.), making the user validation and checking if he has permission. If it's valid, the IIS will return request for the responsible by process of this resource. Now, the performance is very good and you can use the Forms Authentication infraestructure (authentication and authorization modules) to protect your non-ASP.NET files.