I'm having a problem setting up autrhentication and authorisation in IIS7 and the web config file for an ASP.NET 3.5 application.
What I want to do is restrict access to content that is being served by IIS, so all pages/assets, but I want to do this via the web config file so I can allow access to specific resources when the right url (with an access token in it) is provided.
I currently have anonymous authentication enabled in IIS. In the web config, the authentication mode for .NET is set to none. I've got an authorisation node in the web config denying access to all users (*) but I'm still able to access static content (an html page) from the site. Does anyone know whe're I'm going wrong in setting up the authentication/authorisation?