HTTP handlers

Use ASP.NET HTTP handlers to protect files with a certain extension. Accomplishing this involves two steps: first, the file extension in IIS needs to be mapped to the ASP.NET ISAPI extension; next, the ASP.NET engine needs to be configured to map the same extension to the HttpForbiddenHandler HTTP handler. 

Realize that both of these two steps are vital - if you forget to map the extension in IIS to the ASP.NET ISAPI extension, then the ASP.NET engine will not be invoked when a file with the forbidden extension is accessed. If you map the file extension correctly through IIS, but forget to perform the mapping in the appropriate ASP.NET configuration file, the ASP.NET engine will simply return the contents of the file.