If you were following all the news about IIS7, you would have heard that you can now plug-in ASP.NET Forms Authentication in the main integrated pipeline. Few of my colleagues, other friends tried doing this and claimed that it didn't work as expected. It is just protecting only the ASP.NET pages and they believe Forms Authentication is not in the integrated pipeline.
Are they correct? They are and they are not. They are correct in saying that Forms Authentication only comes for the ASP.NET pages, but they are in-correct for believing Forms Authentication is in the integrated pipeline.
By default, even if you enable Forms Authentication, you would see that it just works for ASP.NET pages. That is just because, FormsAuthentication module has the preCondition as "managedHandler" meaning, it would be invoked only for a managed request (ASP.NET). You would see the below by default in the applicationHost.config.
So, if you want to enable the Forms Authentication to work for all the requests, you got to remove that preCondition. To enable, select "Modules" for your website on IIS manager. Right click on "FormsAuthentication" module and click on Edit. You would see the below:
Uncheck "Invoke only for requests to ASP.NET applications or managed handlers". Now, you would see that Forms Authentication is working for all the requests to your website.
Read more about this here.
Hope this helps!