ASP.NET Web Forms Authorization allow access for anonymous user to specific pages

Question

I am using Forms Authentication with ASP.NET Web Forms and it successfully authenticates the user.

With these authorization settings in the web.config an anonymous user can only access the Login page.

  <authorization>
    <deny users="?" />
  </authorization>

or

  <location path="SubFolder">
    <system.web>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

I am trying to use location tags to further allow anonymous access to additional pages, but they are ignored:

 <location path="SubFolder/LoggedOut.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>

Following ASP.NET settings inheritance the authorization tag in the location tag should overwrite the global authorization tag.

The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list. (link)

How can I deny anonymous access to all pages but those that I specify?

The answers to this question state that what I am doing is correct. But it doesn't seem to work for me. So why does this happen? Is there a way to find out what setting blocks the acccess when I try to access a page? Is there anything I am missing?

Answer 1

Apparently a less-restricted file can not be in a restricted directory. However, doing the same with a less-restricted directory is ok.

I ended up placing the public files in the root and all secured files in a subfolder using following web.config:

...
  <authorization>
     <allow users="*" />
  </authorization>
...
  <location path="SubFolder">
    <system.web>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
...

Tested in .NET-Framework 4.5, Visual Studio Enterprise 2015.