According to
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290,
it looks like that this is restricted to particular sections :
When you apply the hotfix that is described in Microsoft Knowledge Base
article 329250 (see "References"), you can use encrypted data that is stored
in the registry instead of plain text in the following configuration
sections:
a.. <identity userName= password= />
b.. <processModel userName= password= />
c.. <sessionState stateConnectionString= sqlConnectionString= />
IMO, the best location is still the web.config file (this way you have all
settings in this unique file) possibly encrypted first...
Patrice