Thanks for that. I now have a web.config that works:

<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name=".ASPXAUTH" loginUrl="admin/login.aspx" />
        </authentication>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
    <location path="admin">
        <system.web>
            <authorization>
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
</configuration>

I assume with this setup you can only have one login page? i.e. you may have a folder called poweruser that is restricted to power users and admin - I assume to do this you use roles?