on local machine ,i created sample project on mvc4 (razor) and create directory named "x" and put a text file "a.txt" in it.

http://localhost:64471/x/a.txt

in my web config i deny all user to access to "x" folder by this config:

<location path="x">
<system.web>
  <authorization>
    <deny users="*"/>
  </authorization>
</system.web>

Now if user send this request :

http://localhost:64471/x/ 

it works and return user to URL that defined in forms tag in web config.

but when user send this request :

http://localhost:64471/x/a.txt

can read text file in browser(browser shows contents of text file).

i want to know how to deny user to access all files and subfolders in "x" folder?

I tested with path="x" in root web.config. It restrict everything under x folder; it won't even let me browse ~/x. I get redirected to login page.

Could you try full path to a.txt like this in root web.config?

<location path="x/a.txt">
  <system.web>
    <authorization>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

If it still doesn't work, you can try creating a web.config inside x folder with the following content.

<?xml version="1.0"?>
<configuration>

  <location path="a.txt">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

</configuration>

I know this is an old question, but if you are having issues and dealing with text or html files, you might want to refer to this stackoverflow question.

In short, you might need to add this to your web.config:

<system.webServer>
    <modules>
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
    </modules>
</system.webServer>

As kirk points out, files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.