I'm trying to secure a specific application to one group, but the inherited allow all rule seems to override whatever rule I add. I can't remove it from the application, and there are other applications that expect to have that in place.
How can I prevent that one application from inheriting that rule, or at least make sure what I add overrides that?
I even tried deny all like below, but it still allows access.
<system.web>
<compilation targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="Windows" />
<authorization>
<deny users="*" />
</authorization>
</system.web>