You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:
<location path="SomeVirtualDirectory">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>