As we know that IIS reject requests which contain folder started with App_ (specifically App_code, App_GlobalResources, App_LocalResources, App_WebReferences, App_Data, App_Browsers folders). Lot of developers put some important files here so that only the application code can access these files and nobody can access these files directly. With the introduction of ASP.NET MVC 4, a new folder App_Start has been included in the application template. But there is a chance that developers put important files in App_Start folder without realizing that this folder is not protected by IIS request filtering module. So, I just want to warn the developers that don't confuse App_* folders with App_Start folder. App_*(see the list above) folders are protected by IIS and App_Start folder is not.