No, you must use Application_AuthenticateRequest instead. That's the earliest point where you have an user.

You don't have access to the User object because the request hasn't yet been authenticated.

Try using Application_AuthenticateRequest instead.

Here is an explanation of all Global.asax events: https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-5771721.html

And the MSDN walkthrough of the application lifecycle: http://msdn.microsoft.com/en-us/library/ms178473.aspx

Edit: I see what you're doing. Change your if statement to and if not statement (sorry if syntax is wrong, I don't use VB.NET):

 Sub Application_AuthenticateRequest() 
   If Context.User <> Nothing Then 
      Throw New Exception("User now exists") 
 End Sub 

You'll notice that this method gets hit more than once. The exception won't be thrown until the second or third time. That is because every request follows the application lifecycle. So, instead of performing whatever action when the user is null, you should perform it when the user is not null.

If your goal is to restrict access dynamically, you should create a separate HttpModule and assign it to the files you're restricting

However, you'll need to be careful not to undertake rewriting the entire ASP.NET Application Security infrastructure. You can, instead, restrict access to certain folders based on role.