My website is allowing the web.config file to be downloaded. However in my C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config file I have this line
<add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
Which should mean any config file can't be downloaded.
What am I missing?