I'm having a problem setting up autrhentication and authorisation in IIS7 and the web config file for an ASP.NET 3.5 application.

What I want to do is restrict access to content that is being served by IIS, so all pages/assets, but I want to do this via the web config file so I can allow access to specific resources when the right url (with an access token in it) is provided.

I currently have anonymous authentication enabled in IIS. In the web config, the authentication mode for .NET is set to none. I've got an authorisation node in the web config denying access to all users (*) but I'm still able to access static content (an html page) from the site. Does anyone know whe're I'm going wrong in setting up the authentication/authorisation?

I've managed to solve the problem by adding the follwing to the web config.

       <remove name="UrlAuthorization" />    
       <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />    

It seems to be working ok now but it would be good to know if anyone else has experienced similar problems and if there are other soultions as well as this one.