In the master page I define a public property that toggles security checking, defaulted to true. I also declare a string that is a ; delimited list of roles needed for that page.

in the page load of my master page I do the following

if (_secure)
{
  if (Request.IsAuthenticated)
  {
    if (_role.Length > 0)
    {
      if (PortalSecurity.IsInRoles(_role))
      {
        return;
      }
      else
      {
        accessDenied = true;
      }
    }
    else
    {
      return;
    }
  }
}

//do whatever you wanna do to people who dont have access.. bump to a login page or whatever

also you'll have to put

at the top of your pages so you can access the extended properties of your master page

One solution I've used in the past is this:

1. Create a base page called 'SecurePage' or something to that effect.
2. Add a property 'AllowedUserRoles' to the base page that is a generic list of user roles List or List where int is the role id.
3. In the Page_Load event of any page extending SecurePage you add each allowed user role to the AllowedUserroles property.
4. In the base page override OnLoad() and check if the current user has one of the roles listed in AllowedUserRoles.

This allows each page to be customized without you having to put tons of stuff in your web.config to control each page.

A couple solutions off the top of my head.

1. You could set up restrictions for each page in your web.config file. This would allow you to have whatever folder hierarchy you wish to use. However, it will require that you keep the web.config file up to date whenever you add additional pages. The nice part of having the folder structure determine accessibility is that you don't have to think about it when you add in new pages.
2. Have your pages inherit from custom classes (i.e. EveryonePage, UserPage, AdminPage, etc.) and put a role check in the Page_Load routine.