为使您的形式authetication锁定的HTML文件，你需要让他们通过ASP.NET提供服务。您可以通过扩展（S），你需要（如的.html，.htm和等）与关联ASPNET_ISAPI.DLL在IIS中做到这一点。

Onces ASP.NET所服务的那些文件你能为他们指定就像任何aspx页面的权限。

有关更多信息，请参阅 MSDN ：

  

在默认情况下，IIS处理静态
  内容本身 - 如HTML页面和
  CSS和图像文件 - 并且只手
  关闭请求到ASP.NET运行时
  当与一个扩展一个页
  的.aspx，的.asmx或.ashx的请求。

  
  

IIS 7，但是，允许综合
  IIS和AS​​P.NET管道。与一些
  你可以设置配置设置
  IIS 7调用
  FormsAuthenticationModule所有
  要求。此外，IIS 7，您
  可以定义URL授权规则
  任何类型的文件。欲了解更多
  信息，请参见IIS6间关系的变化
  和IIS7安全，你的网络平台
  安全和理解IIS7 URL
  授权。

  
  

长话短说，在之前的版本
  IIS 7，你只能使用形式
  验证保护资源
  由ASP.NET运行时处理。
  同样，URL授权规则
  仅施加到由处理资源
  ASP.NET运行时。但随着IIS 7它
  能够整合
  FormsAuthenticationModule和
  UrlAuthorizationModule到IIS的HTTP
  管道，从而延长此
  功能，所有的请求。

块引用>

I am using forms authentication in IIS7 to password-protect a dev site, but the authentication seems to get by-passed when the site contains only static HTML files + login.aspx + web.config.

When I renamed the files to .aspx, I am prompted with the login form I am not doing anything fancy. I have a very simple login script and it should just redirect to index.html afterward.

Any suggestions? To summarize, the entire site is using HTML (for now) and needs to be password protected.

<authentication mode="Forms">
  <forms name="appNameAuth" path="/" loginUrl="~/login.aspx" defaultUrl="index.html" protection="All" timeout="525600">
    <credentials passwordFormat="Clear">
      <user name="[user]" password="[password]" />
    </credentials>
  </forms>
</authentication>
<authorization>
  <deny users="?" />
</authorization>

To make the HTML files locked down by your forms authetication, you need have them served by ASP.NET. You can do this in IIS by associating the extension(s) you need (eg. .html, .htm, etc) with the aspnet_isapi.dll.

Onces ASP.NET is servicing those files you can specify the permissions for them just like any aspx page.

For more information refer to MSDN:

By default, IIS processes static content itself - like HTML pages and CSS and image files - and only hands off requests to the ASP.NET runtime when a page with an extension of .aspx, .asmx, or .ashx is requested.

IIS 7, however, allows for integrated IIS and ASP.NET pipelines. With a few configuration settings you can setup IIS 7 to invoke the FormsAuthenticationModule for all requests. Furthermore, with IIS 7 you can define URL authorization rules for files of any type. For more information, see Changes Between IIS6 and IIS7 Security, Your Web Platform Security, and Understanding IIS7 URL Authorization.

Long story short, in versions prior to IIS 7, you can only use forms authentication to protect resources handled by the ASP.NET runtime. Likewise, URL authorization rules are only applied to resources handled by the ASP.NET runtime. But with IIS 7 it is possible to integrate the FormsAuthenticationModule and UrlAuthorizationModule into IIS's HTTP pipeline, thereby extending this functionality to all requests.