what is your exact concern? btw, IIS does not allow external users to access your web.config file.

With asp.net, it is very secure. Another step you can take to make it more secure is to create ASPX holder pages with all includes of ASCX. That way no one, ever, can read your ascx page. You can also encrypt all data sent and then decrypt when you receive it. A step that isn't usually followed, but can be done. ASP.NET is a very secure language. Everything read on your server is spit out as html, so therefore no one ever see's your asp.net coding, the backend, etc.

What version of ASP.NET? 1.0, 1.1, 2.0, or 3.0... each has different security levels/requirements/restrictions unique to its code level.

For 2.0 : http://aspnet.4guysfromrolla.com/articles/120705-1.aspx