So as I commented it turns out that system.web is for iis6 and system.webServer is used for iis7 which is what I was running on. My authorization rules for system.web were correct and so any .net files were blocked as intended however due to the iis7 pipeline integration any other file extensions would not be affected. The solution to this I found from: http://blogs.msdn.com/b/rakkimk/archive/2007/11/28/iis7-making-forms-authentication-to-work-for-all-the-requests.aspx?Redirected=true
It has to do with the line preCondition=""