- Does this only work for Web.config files?
I think so, but a simple test will give you a sure answer. (update: the tool asssumes there is web.config file. If you need to encrypt another file like app.config, just rename it to web.config).
- What exactly is encrypted? The whole config file?
You can specify sections that will be encrypted (see this link).
- Does IIS automatically know how to decrypt encrypted config files?
Yes (same link)
- What encryption algorithms are used?
You can choose a provider of your choice (same link)
- Are there any encryption keys (and/or passwords)? Where are they?
Yes there are if you use the RsaProtectedConfigurationProvider, see this link for more info.
- Can I encrypt on one machine and decrypt on another? (Or does it rely on a secret key somewhere on the server?)
Yes, using RsaProtectedConfigurationProvider it is possible.
For more general information on Protected Configuration, please refer to this guide on MSDN.