What's the 'best' way to secure all files (including .zip, .pdf) in a folder on an IIS web server using asp.net? This situation must be very common, but I have found very few suggestions on the internet.

Requirements:
1-only a few dozen users - passowords could be in web.config
2-can have only 1 extra windows account to secure the folder by ACL, but NOT one for each user.
3-user must not be able to download pdf files from that folder unless authenticated

I can see 2 ways to do it - I'd like to use the most 'conventional' method:
option 1- do authentication in aspx using web-forms against users in web.config. Setup 1 user account to secure the folder by windows ACL. If authorisation is successful, impersonate the user account for access to the secure folder.
Will this work? Can anyone please suggest how to do impersonation in code (vb prefered)?

option 2- have a folder above the site root to store pdf files etc. Links to these pdf files would be on aspx pages which require authentication and authorisation (setup in web.config-easy). Concerned about how effectively pdf files would dowload doing it this way. May also be more problematic for the server administrator to setup a folder outside the site root.

ANy other suggestions?

Many thanks

Both options you have are viable. I do not know what the most conventional is. Take a look at http://msdn.microsoft.com/security/ and see if they have any suggestions. You might even get more ideas from this site.