Is this specification correct in the root web.config file? I haven't used a child web.config in the protected folder.
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="">
</forms>
</authentication>
</system.web>
Then another specification for system.web also in root web.config:
<location path="to protected folder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>