As a test, I\'m trying to use the web.config to control security in the following ways:
You may be running in to the difference between ASP.NET URL Authorization and IIS URL Authorization. A detailed summary on this is at http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization#Differences
Briefly, what happens with ASP.NET by default with web.config is that it only apply the allow and deny rules to files handled by the managed handler.
Files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.
You can test this out by adding this to your main web.config to use the IIS version.
I tested this with your same security and same directories and files, and all appears to work
A more complete version if you use other authentication methods such as forms could be this