I have a web.cofig file inside a directory (see below). If you click on the link to the site, you go to a login page and with the correct credentials, you go to the page you tried to access (standard stuff). If you have a file in there for example, "test.txt", I am current able to type in the direct link and pull that file up. I want to be able to secure the data as well and it is an upload directory so it will always be different names, but they will always be PDF files.
<?xml version="1.0" encoding="utf-8"?>
<allow roles="Role" />
<allow users="user" />
<deny users="*" />