web.config - deny all users to specific folder and subdirectories except for authenicated roles

Question

I am having an issue trying to prevent all users/connections from accessing a download folder "files" and all subs and files therein. I only want to allow authenticated users in specific Roles to have access to the files. The files folder is under root. ./web.config ./files/subfolder1/files in here

my web.config I have this

<location path="files" allowOverride="false">
<system.web>
  <authorization>

    <allow roles="Admin, Fieldworker, Supervisor, Accounting" />
     <deny users="*" />

  </authorization>  
</system.web>

The problem is not only are all users blocked, but also my authenticated users in the Admin and other roles are blocked. If I add above then my "admin" user can access the files, but then so can any unauthenticated user... which I do not get why would allow other users access?

My web server is IIS7. Other related entries in web.config

<modules runAllManagedModulesForAllRequests="false">
  <remove name="ScriptModule" />
  <add name="ScriptModule" preCondition="managedHandler"   type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0,   Culture=neutral, PublicKeyToken=31BF3856AD364E35" />  

    <add  name="FormsAuthenticationModule"    type="System.Web.Security.FormsAuthenticationModule" />
    <remove  name="UrlAuthorization" />
    <add  name="UrlAuthorization"   type="System.Web.Security.UrlAuthorizationModule"  />
    <remove  name="DefaultAuthentication" />  
    <add  name="DefaultAuthentication"  type="System.Web.Security.DefaultAuthenticationModule" />


</modules>

Thanks in advance for help on this!

Answer 1

This seems to be a duplicate of: how to protect uploaded documents from direct access in web forms

You need to use a <location> element:

   <location path="Logon.aspx">
    <system.web>
     <authorization>
        <allow users="?"/>
     </authorization>
    </system.web>
   </location>