I know that IIS7 allows me to have a per directory configuration with the web.config xml file. I have a directory with some configuration files that don't want to be web accessible. A local web.config file forbidding read access to it would be a nice solution.
What should be the contents of a web.config file to forbid web access to the files?
Edit: I'm trying to put a web.config file with these contents in a file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="*" /> <!-- Denies all users -->
</authorization>
</system.web>
</configuration>
But I can still directly access a file inside the directory. What's wrong with it? How do I debug what's happening?