You’re using system.web. In IIS7, you should use system.webServer instead. This will block all types of files, not just ASP.NET files. For example, you can password protect jpg, gif, txt and all types of files.
It would look something like this:
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
And if you want to set it for just 1 file:
<location path="dontlook.jpg">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>