I host a service called MyService.svc in a private subfolder of my
webapplication like so

/
/private
/private/myservice.svc
/private/privatepage.aspx

i use a location tag to secure the private folder to deny anonymous users.
i test this succesfully by using internet explorer to go to the
/private/privatepage.aspx and noting that i get the redirection back to my
loginpage.aspx with the rewturn url of /private/privatepage.aspx duly noted
on the querystring.

however - as you can guess by the post title - anyone is free to call my
"private" myservice.svc despite being not logged in.

the service is not protected.

what gives?

Cheers