ASP.NET

Here is a gotcha:  if you attempt to protect the contents of a directory using a web.config file like:

<location path="data">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

... it won't work. ASP.NET only respects the configured permissions for files that it serves. Static directories, and most files in them, are served by IIS and must be protected using IIS settings.