<?xml version="1.0" encoding="UTF-8"?>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="Administrators" />
Thank you very much for the suggestion. I've put this exact contents into a newly-created web.config in the folder and it doesn't appear to accomplish anything (which I find strange). If I restore the NTFS permissions to be the same on this folder as on all other folders in the site, I would expect this web.config to be invoked and prevent access by non-admins (i.e. the anonymous ourdomain\webuser). Is there some other configuration setting I might need to apply so this might work?
This will prevent the access to anonymous users and only allow users from the Admnistrators group. you can use Roles or users for this.
You could use Authorization rules for that, just create a web.config inside the directory you want to protect with the following contents: