Generally, setting file access permissions by directory is the cleanest and easiest approach. However, you also have the option of restricting specific files by adding tags to your web.config file.
The location tags sit outside the main tag and are nested directly in the base tag, as shown here:
In this example, all files in the application are allowed, except SecuredPage.aspx and AnotherSecuredPage.aspx, which have an additional access rule denying anonymous users.
Notice that even when you use multiple sections to supply different sets of authorization rules, you still only include one section. That’s because a web application can use only one type of authentication.