Setting file system permissions (or NTFS ACLs as they are also known) can be a real pain in the rear. Not only do you have to deal with sometimes complicated inheritance rules, but they don't copy easily - especially across machines, and they can easily get trashed or re-set unintentionally. Starting with IIS7, you can avoid setting file permissions on content as a way to protect it, and instead store the authorization rules in your application's web.config file. That means anywhere you copy the content, the authorization rules flow with it!
Here are some basic facts to get it working:
Install path: \IIS\World Wide Web Services\Security\URLAuthorization
Requires: an authentication protocol (ASP.NET Forms authentication, Windows, Basic or Digest Authentication all work well)
Configuration stored like this:
<add accessType="Allow" users="bill" />
Want to see it in action? Watch this video I created (requires Silverlight)