IIS has a default blacklist of filetypes that won't be served to the users of its sites, some of those types are: .asax, .cs, .vb, .config. You can find the setting in the Features View under Request Filtering.
I did a powershell query to find all of the filetypes in my website, and whitelisted only the filetypes I want IIS to serve:
Get-Childitem . | WHERE { -NOT $_.PSIsContainer } | Group Extension -NoElement | Sort Count -Desc > FileExtensions.txt
Now the sites works perfect and secure, until I enable ASP.Net bundling. 404's will occur on the bundled styles and scripts, as those are not whitelisted.
Now the question: can I whitelist bundled files and what extension should be added to the Allowed Extensions list in IIS?
Yes you can ;-). Just add the correct extention to the bundle name.
e.g.: ~/Bundles/Styles => ~/Bundles/Styles.css
Change in RegisterBundles() method and in Styles.Render() and you are done