To get this scenario to work you would have the web.config file in the root directory. Then in the subdir, if you wanted it to be restricted to certain users or roles, you would add a simplified web.config to this directory. Or you can add <Location> elements to you root web.config to restrict access to subdirectories.;en-us;815174;en-us;307626