It sounds like Forms Authentication can handle what you need. Add the following line to your root web.config
<authentication mode="Forms">
<forms name="XXXXX.ASPXAUTH" timeout="60" loginUrl="~/login.aspx" protection="All" path="/"></forms>
</authentication>
Replace the XXX's with whatever you want to call your cookie. Also rename login.aspx to whatever you named your login page. This code will redirect anyone who is not authenticated to the login page.
Then, in your login logic use something like the following C# code
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, txtUsername.Text,
DateTime.Now, DateTime.Now.AddMinutes(60), true, reader["user_level"] + "",
FormsAuthentication.FormsCookiePath);
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
Response.Cookies.Add(cookie);
With this code, you will want to send in the user level of the person logging in (i.e. Administrator, User, etc) where I have "reader[..."
The last thing you need to do is set up each protected directory with it's own web.config that outlines the user roles that are allowed and the roles that are denied. The names you use for the roles in the web.config needs to be consistent to the values that are sent in to the FormsAuthenticationTicket and you'll be good to go.