Is there a way to implement forms authentication, but only for a specific URL. For example, I would want the formsAuthentication to protect the site on staging.mydomain.com but not hinder access to www.mydomain.com if the web.config accidentally got moved over to the production site.
Forms auth is implemented on the web site instance. Its not going to work that way.
The web.config is where you can manage what FormsAuthentication does. So, the answer is kind of in your question and @Andrew is right.
However, you might be able to do something in your global.asax to recognize the server or domain that the site is running on and disable FormsAuthentication. Maybe create a user that has access to everything and manually set a FormsAuthenticationTicket to that user on session start if the domain is www.mydomain.com.
This is a bit hackish and I would suggest coming up with an out of band way to control your web.config instead.
we have used a simple workaround in the past.
We set the default Login page to be a simple page that is accessible to anonymous users, lets call it checkDomain.aspx
In that page, we do a quick check of the domain and based on that we redirect users to the login.aspx page in the staging site, or to the original requested url in the production site. this wasnt pretty but it was quick and easy to implement for a short period of time when we feared something like that could happen.