While waiting for solutions to my similar problem (Self-hosted Owin, static files and authentication) I would like to protect a directory serving static files within an MVC application with Asp.net Identity. How can I protect my Downloads directory but still keeping all goodness of MVC and Identity?
The solution was quite easy and obvious: just add a Web.config with desired authorizations.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
That was also my first immediate attempt, but I had forgotten to correctly set the Copy to output directory property.