It would be good if you could use web.config for other files (the only way you an do that is if you associate more file types with web.config - unless you can specify redirection on an arbitrary file, like index.html without creating that file)
Also password protect any directory (at the moment if you want to protect /root/subdir/foldertoprotect/ you have to set up
foldertoprotect as an application - unless there is a way, I do not know how to). The other problem I have found is if you have a dll in
/bin/ that you wish to use in /root/subdir/foldertoprotect/ you need to copy it to the
bin folder in foldertoprotect - you may want this as it could be a shared dll used on many 'sub applications'
e.g. I find putting the following into the web.config directory in foldertoprotect does not work