I just added this to my web.config:

<security>
  <ipSecurity allowUnlisted="false">
    <!-- The following IP addresses are granted access, all else denied -->
    <add allowed="true" ipAddress="123.123.105.0" subnetMask="255.255.255.0" />
    <add allowed="true" ipAddress="123.123.100.0" subnetMask="255.255.255.0" />
  </ipSecurity>
</security>

Works exactly as intended, only over that certain IP range. BUT, now when I go to test this in Visual Studio via iisExpress over localhost it of course gives me issues. Here is the 500.19 error I receive:

This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".

I have setup IPSecurity on my localmachine in the services panel, so that is enabled, and I have monkeyed around with options in the ipSecurity block such as adding 'localhost' as a domainName value - but alas no luck. .... help me StackOverflow, you're my only hope! ;)

I just ran into the same situation. I googled around and found that all you have to do is edit the applicationhost.config file for IIS Express found here:

%userprofile%\Documents\IISExpress\config\applicationhost.config

Open it up and look for the ipSecurity section that is inside the system.webServer section and change overrideModeDefault from "Deny" to "Allow". You do not need to add the IIS IP Security from Windows Features.

<sectionGroup name="system.webServer">
  ...
  <section name="ipSecurity" overrideModeDefault="Allow" />
  ...
</sectionGroup>

Hope this helps!

Add 127.0.0.1 to your allowed ips like so:

<add allowed="true" ipAddress="127.0.0.1" />

Thanks to @AbeyMarquez, I thought your comment warranted more attention as it solved my problem. Thanks!