Does web.config authorization work on files other than aspx?

I have ASP.NET application with forms authentication. It works well but I have one directory with olly .txt files (no aspx files) that I want users not to access (or only logged in users).

I added web.config to this directory:

<system.web>
    <authorization>
        <deny users="?" />
    </authorization>
</system.web>

EDIT:

This works only for .aspx files. It does not work for .txt files and similar. Users cannot browse this directory nor subdirectories however knowing .txt file name they can access it.

I tries IIS6 and IIS 7.5. On IIS6 .txt files are also restricted but on IIS 7.5 not so it may be IIS configuration issue.

Your question depends on the web server you are using. ASP.NET authorization works only with file types that are handled by ASP.NET. If you have IIS 5 or 6, this is normally not true for .txt files or even for .jpg, .gif and pure .html files, but only for aspx, asmx etc.

No problem if you have IIS7 and integrated mode, because ASP.NET is integrated and will be called for every type of file. So if you have IIS5 or 6 you have to register the mime types such as the aspnet.isapi is called for .txt files as well.

UPDATE: The configuration of

 <deny users="*"> 

locks out all users. It would work only in combination with allow, e.g.

<allow roles="administrators" /> 
<deny users="*"> 

like this all users but administrators will be locked out. If a user is authenticated but not adminstrator, he will be redirected to the login page.

The other option is to lock out anonymous users only:

<deny users="?"> 

Add location section to the web.config with appropriate settings location Element (ASP.NET Settings Schema)

If you use IIS 7+, then you can use the system.webServer/security/authorization http://www.iis.net/ConfigReference/system.webServer/security/authorization section, and have that automatically work for any kind of content in any pipeline mode. IF you still want to use system.web seciton, then you will need to use Integreated Mode and do the changes that are mentioned in the modules to run for all content, but by far, the simplest is use system.webServer/security/authorization instead.