You create an ASP.NET application that contains confidential information. You use form-based authentication to validate users. 
You need to prevent unauthenticated users from accessing the application. 
How is this achieved?

A comma-separated list of user names that are denied access to the resource. A question mark (?) denies anonymous users and an asterisk (*) indicates that all user accounts are denied access. <deny users="?" />