Scott Guthrie has talked about this issue
here. I would like to add one thing though. Let's say that all the pages of your web application cannot be accessed unless the user logs in. Basically what you will do is add an authorization rule in the root web.config file that will disallow access to all the application files for non authenicated users. If you are using themes in your web application with stylesheets and images, you will need to add another authorization rule to allow access to the App_Themes folder, as explained in Scott Guthrie's blog.