A couple of key points here:
"Confirm a user is who they should be, use the roles system in ASP.NET on
EVERY page that should be secured."
....
"Do not just rely on the Web.Config settings"
Since I wrote my first forms authentication site, I always ensured on every
page requiring authorization that the user's role allowed him access to the
page using the roles system and a few other custom methods. It's just a
habit carried over from classic asp. Stephen Fraser has several good
examples of how to avoid this particular exploit in his CMS.NET product
(
http://www.gotdotnet.com/workspaces/directory.aspx?&Column=WorkspaceName&Di
rection=ASC&ST=cms.net) although he never mentions the vulnerability per se.
Having said that, these MS "silly" vulnerabilites have become quite
tiresome. I really don't like having to constantly convince my bosses not
to scrap ms development products altogether in favor of linux based tools.
My 2¢
Craig