Allow web.config authorization

I am developing .NET for an ASP.NET web application and trying to prevent all users who are unauthorized from accessing my application but only allow them a login page.

Below is a snippet of code that is inside my system.web section:

<authentication mode="Forms">
   <forms loginUrl="Login.aspx" timeout="60" name="APPNAME" slidingExpiration="true" />
</authentication>
<authorization>
   <deny users="?" />
</authorization>

I also have this outside to allow access to the login page:

  <location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

However, I can still access the pages when I am not logged in, how can I stop this?

I even added the Web.Config file to the main folder, which stores most of the website files whose contents are:

<?xml version="1.0"?>
<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

But it still has no effect.

Decision

asp.net(http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx) HTTPModule AnonymousIdentification, .