I have a site, into which users log in using forms authentication, in which I want to restrict access to files in a particular folder to certain users.

So, for instance, folder dir/foo will be accessible to user1 but not user2 or user3 and folder dir/bar will be accessible to user2 but not user1 or user3.

How can I do this?

User roles then setup the locations in web.config

<location path="foo">
    <system.web>
        <authorization>
            <allow roles="fooUsers"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

OR for each folder created add a new web.config to folder root

<?xml version="1.0"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="folderUsers"/>
            <deny users="*" />              
        </authorization>
    </system.web>
</configuration>

check the <location> element of web.config