Ok, so I just created a new web application that uses the default role manager stuff. I created three roles: roleA, roleB, roleC. and in my application, I added the same configuration entry that you used above, but changed the default path on the About.aspx page.
After testing the various role configurations, the roles seem to work exactly as you would expect. If the user is a member of several roles, for example roleA and roleC, if the configuration is configured as you have above, allow "roleA, roleB", my user gets access regardless of the order. Take away roleA in config and my user no longer has access. Take away role B and readd roleA, my user is activated again, reads both of them, the user has access.
Edit 2 - Deleting an image using "RoleGroup" as I believe that it adds confustion.
http://www.asp.net/security/tutorials/role-based-authorization-cs .
Has a pretty good explanation of how role-based auth works. There is not much information about several roles.
In addition, as an additional note, you can check role-based programs, which are a little more cumbersome to support, but then you can handle authorization in any way you like. I personally did this in past projects to limit access to various pages for users, and this is very good for me.
http://www.4guysfromrolla.com/articles/082703-1.2.aspx
Edit - add information about my test.
To clarify how I test:
I created the main user and 3 roles in the web administration tool. Created 3 roles. And assigned roleA and roleC to my user.
From there, here is my configuration file. This is the standard web configuration with a new project with the settings you added.
<?xml version="1.0"?> <configuration> <connectionStrings> <add name="ApplicationServices" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" /> </connectionStrings> <system.web> <compilation debug="true" targetFramework="4.0" /> <authentication mode="Forms"> <forms loginUrl="~/Account/Login.aspx" timeout="2880" /> </authentication> <membership> <providers> <clear/> <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" /> </providers> </membership> <profile> <providers> <clear/> <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/> </providers> </profile> <roleManager enabled="true"> <providers> <clear /> <add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" /> <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" /> </providers> </roleManager> </system.web> <system.webServer> <modules runAllManagedModulesForAllRequests="true"/> </system.webServer> <location path="About.aspx"> <system.web> <authorization> <allow roles="roleA, roleB" /> <deny users="*" /> </authorization> </system.web> </location>