I've got a master page in a root folder of an asp.net application and content pages in subfolders. I'm using forms authentication and am not sure what to do, in web.config, for the master page. Does the forms authentication protect the child pages or the master page?
How does it work?
No. Web.config authorization is based on the URL of the requested page. It's completely unrelated to master pages.
The web.config authorization affects the URLs of the pages. So .aspx, .ashx or anything else that can be "served up" by ASP.NET running under IIS.
Pages that aren't served (.config, .master, etc) are not protected by authentication, but also won't be served anyway.
You should be aware that other static pages (.css, .js, .gif, .png, etc.) are NOT affected by authentication unless you configure IIS to let ASP.NET handle these pages.