makes sense. The forms authentication is like a filter done by the .net
engine on IIS, so IIS doesnt even send pages to the .net engine that arent
mapped to hte .net engine. So this means that only things like .aspx and
similar are protected by it. Any .htm, .js, .gif, etc are not protected by
it.
I personally dont like this, and actually dont like most of the
configuration of HttpModules and Authentication, I was too used to making
nice little servlets and filters!