When you have forms authentication setup in ASP.NET, you might have a folder containing static content, such as PDF/zip files etc. You might try to protect these files using the following item in the web.config to allow access to authenticated users only:
This will not work however since IIS serves non ASP.NET file types directly, and will not pass the request through to ASP.NET to carry out any authentication first.
In order to protect all static content in the site (if you have any), you need to setup the following Wildcard application map on the virtual directory to pass all file types through to ASP.NET so that everything is protected:
It is important however that “Verify that file exists” is NOT ticked, since there are some ASP.NET files such as:
Which don’t physically exist.
WebResource.axd it seems is responsible from .NET 2 onwards for dishing up ASP.NET framework js files, (in 1/1.1 these were served from the C:\Inetpub\wwwroot\aspnet_client\system_web\1_1_4322 folder)
So there you go.
Also, if you are curious what AXD stands for which of course I was, here it is from the man himself:
I'm somewhat embarrased to say that I don't think it stands for anything. I think we choose it because it sounded cool, and used the leters a & x -- which we usually incorporate in other file extension names.
Hope this helps!