Here is my web.config used to login protect a folder called administration;
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off">
</customErrors>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="999999">
<credentials passwordFormat="MD5">
<user name="admin" password="21232F297A57A5A743894A0E4A801FC3" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
<allow users="*" />
</authorization>
<trace enabled="true" localOnly="false" />
</system.web>
<location path="administration">
<system.web>
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
I'm using it in this asp.net vb web site which I built from some tutorials and added a few extra bits of functionality to.