I wish to block access to all non registered users,
So, wouldnt the following work?
<authorization>
<deny users="?" />
</authorization>
But, I have seen many users using the <allow> tag as well with the deny, tag. Why we need to write <allow> since we just deny the unwanted users?
It doesn't hurt to have an allow element. But it won't change anything.
From MSDN:
The default configuration for ASP.NET contains an element, which authorizes all users. (By default, this rule is applied last.) If no other authorization rules match, the request is allowed. If a match is found and the match is a deny element, the request is returned with the 401 HTTP status code. If an allow element matches, the module allows the request to be processed further.
Edit: To answer your question below. What you probably want is:
<authorization>
<allow role="Admin"/>
<deny users="*" />
</authorization>
In other words. Allow admins but deny EVERYONE else.
It is a combination of them that you can use at your disposable. It is good practice to specifically call out your authorizations so you can cover your bases. For example, you can specify to deny all unauthorized users, then say allow all others or a subset. The order does matter like aquinas mentioned.
Don't know how to respond you your question about allowing one role but not the other Admin vs user:
ok. Also, if I wish to allow access to only "Admin" role and not "user" role, adding would work fine, right?
This would work but not as you expect. This would deny all with the "users" role, but then allow for every other role. So to fix this, you would want to add the allow tag with the Admin role specified.