I have the following ASP.NET Forms Authentication configuration:

<system.web>
  <authentication mode="Forms">
    <forms name="MembershipCookie" 
           loginUrl="Login.aspx" 
           protection="All" 
           timeout="525600" 
           slidingExpiration="true" 
           enableCrossAppRedirects="true" 
           path="/">
    </forms>
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>
<location path="Home.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location

If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?

The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.

Update:

The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:

ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication

If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .

If a user access Home.aspx then the second rule will be applied i.e.

<location path="Home.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.