I have an mvc intranet application using windows authentication. It currently has one controller with three actions.

The first action (index) should be available to everyone, this is no problem. The second and the third actions should only be available to users in a specific DOMAIN. However the <Authorize()> tag only gives me 2 options: Roles or Users. I tried using Users and setting it to 'DOMAIN*' and 'DOMAIN\?' but that doesn't work.

I've been searching all over the internet but can not seem to find any way of accomplishing what I want. I hope someone here can help me out!

Use DOMAIN\Domain Users as the role name. Its a built-in group that contains, you guessed it, all users in the domain.

Adding to what jrummel mentioned, decorate your controller or action with the following:

[Authorize(Roles = "DOMAIN\Domain Users")]

That will only allow users in the specific role (in this can users of a specific domain) to access the controller/action (depending which you decorate). Alternatively, you can create your own Authorize Attribute for the purpose of domains:

/// <summary>
/// Specified which domains a user should belong to in order to access the decorated
/// controller/action
/// </summary>
public class DomainAuthorizeAttribute : AuthorizeAttribute
{
    private String[] domains = new String[0];

    /// <summary>
    /// List of acceptable domains
    /// </summary>
    public String[] Domains
    {
        get { return this.domains; }
        set { this.domains = value; }
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null)
        {
            throw new ArgumentNullException("httpContext");
        }

        // User not logged in
        if (!httpContext.User.Identity.IsAuthenticated)
        {
            return false;
        }

        // No roles to check against
        if (this.Domains.Length == 0)
        {
            return true;
        }

        // check if they're on any of the domains specified
        String[] roles = this.Domains.Select(d => String.Format(@"{0}\Domain Users", d)).ToArray();
        if (roles.Any(httpContext.User.IsInRole))
        {
            return true;
        }

        return false;
    }
}

Something like that should allow you to do:
[DomainAuthorize(Domains = new[]{ "DOMAIN1", "DOMAIN2" })]

For people interested, here is the VB version of the above code snippet:

''' <summary>
''' Specified which domains a user should belong to in order to access the decorated
''' controller/action
''' </summary>
Public Class DomainAuthorizeAttribute
    Inherits AuthorizeAttribute
    Private m_domains As [String]() = New [String](-1) {}

    ''' <summary>
    ''' List of acceptable domains
    ''' </summary>
    Public Property Domains() As [String]()
        Get
            Return Me.m_domains
        End Get
        Set(value As [String]())
            Me.m_domains = value
        End Set
    End Property

    Protected Overrides Function AuthorizeCore(httpContext As HttpContextBase) As Boolean
        If httpContext Is Nothing Then
            Throw New ArgumentNullException("httpContext")
        End If

        ' User not logged in
        If Not httpContext.User.Identity.IsAuthenticated Then
            Return False
        End If

        ' No roles to check against
        If Me.Domains.Length = 0 Then
            Return True
        End If

        ' check if they're on any of the domains specified
        Dim roles As [String]() = Me.Domains.[Select](Function(d) [String].Format("{0}\Domain Users", d)).ToArray()

        For Each r In roles
            If httpContext.User.IsInRole(r) Then
                Return True
            End If
        Next

        Return False
    End Function
End Class

Hope this will be helpful for someone! (All credit goes to Brad Christie)