Authorization Rules
If you make changes in an application’s web.config file and request a page, you will notice that nothing unusual happens, and the web page served in the normal way. This is because though you have allowed forms authentication for your application, you have not restricted users. In others words, we can say that you have chosen the system you want to use for authentication, but at the movement none of your pages needs authentication.
To control who can and who cannot access your website, you need to add access control rules to the <authorization> section of your web.config file.