It would be good if you could use web.config for other files (the only way you an do that is if you associate more file types with web.config - unless you can specify redirection on an arbitrary file, like index.html without creating that file)

Also password protect any directory (at the moment if you want to protect /root/subdir/foldertoprotect/ you have to set up foldertoprotect as an application - unless there is a way, I do not know how to). The other problem I have found is if you have a dll in /bin/ that you wish to use in /root/subdir/foldertoprotect/ you need to copy it to the bin folder in foldertoprotect - you may want this as it could be a shared dll used on many 'sub applications'

e.g. I find putting the following into the web.config directory in foldertoprotect does not work

<authentication mode="Forms">
    <forms name="myapp" loginUrl="login.aspx" />

How do you use forms authentication on subfolders?