Doesn't the following work for you?
<location path="folder">
<system.web>
<authorization>
<allow roles="user" />
<deny users="*" />
</authorization>
</system.web>
</location>
what works for me in the following configuration:
<location path="Content/Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="Admin,Manager,Client" />
<deny users="?" />
</authorization>
</system.web>
allowing anonymous access while in general it's not allowed.
Our you can put in a sub folder a separate location-agnostic Web.config:
<system.web>
<authorization>
<allow roles="user" />
<deny users="*" />
</authorization>
</system.web>