Its just Forms Authentication, based on Roles that are assigned to a user. If a user is in a particular role, then they would essentially have access to those filetypes in that directory. RIght now everything works for the forms in the 'secure' directory, just trying to work out the files now...