Web.config file example for restricting access to an ASP.NET or IIS web site by only allowing authorized Domain users, and denying access to all anonymous users.
<!-- ------------------------------------------------------------- -->
<!-- ASP.NET Authorization Rule -->
<!-- Deny access to all anonymous users, and allow access to only -->
<!-- "YOUR_DOMAIN\Domain Users" users -->
<!-- ------------------------------------------------------------- -->
<system.web>
...
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow roles="YOUR_DOMAIN\Domain Users" />
</authorization>
...
</system.web>
<!-- ------------------------------------------------------------- -->
<!-- IIS Authorization Rule -->
<!-- Deny access to all anonymous users, and allow access to only -->
<!-- "YOUR_DOMAIN\Domain Users" users -->
<!-- ------------------------------------------------------------- -->
<system.webServer>
...
<security>
<authorization>
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="YOUR_DOMAIN\Domain Users" />
</authorization>
</security>
...
</system.webServer>