By default,IIS processes static
content itself – like HTML pages and
CSS and image files – and only hands
off requests to the ASP.NET runtime
when a page with an extension of
.aspx,.asmx,or .ashx is requested.
IIS 7,however,allows for integrated
IIS and ASP.NET pipelines. With a few
configuration settings you can setup
IIS 7 to invoke the
FormsAuthenticationModule for all
requests. Furthermore,with IIS 7 you
can define URL authorization rules for
files of any type. For more
information,see Changes Between IIS6
and IIS7 Security,Your Web Platform
Security,and Understanding IIS7 URL
Authorization.
Long story short,in versions prior to IIS 7,you can only use forms authentication to protect resources handled by the ASP.NET runtime. Likewise,URL authorization rules are only applied to resources handled by the ASP.NET runtime. But with IIS 7 it is possible to integrate the FormsAuthenticationModule and UrlAuthorizationModule into IIS’s HTTP pipeline,thereby extending this functionality to all requests.