Web.config file example for restricting access to an ASP.NET or IIS web site by only allowing authorized Domain users, and denying access to all anonymous users.

<!-- ------------------------------------------------------------- -->
<!-- ASP.NET Authorization Rule                                    -->
<!-- Deny access to all anonymous users, and allow access to only  -->
<!-- "YOUR_DOMAIN\Domain Users" users                              -->
<!-- ------------------------------------------------------------- -->

<system.web>
  ...
  <authentication mode="Windows" />
  <authorization>
    <deny users="?" />
    <allow roles="YOUR_DOMAIN\Domain Users" />
  </authorization>
  ...
</system.web>

<!-- ------------------------------------------------------------- -->
<!-- IIS Authorization Rule                                        -->
<!-- Deny access to all anonymous users, and allow access to only  -->
<!-- "YOUR_DOMAIN\Domain Users" users                              -->
<!-- ------------------------------------------------------------- -->

<system.webServer>
  ...
  <security>
    <authorization>
      <add accessType="Deny" users="?" />
      <add accessType="Allow" roles="YOUR_DOMAIN\Domain Users" />
    </authorization>
  </security>
  ...
</system.webServer>