<location path="Premium.aspx">
<system.web>
<authorization>
<allow roles="Subscribers"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Is the order of "allow" and "deny" matter?
To clarify about the order of Allow and Deny, authorization is going to apply based on the first match it finds, so order is very important. For instance:
<deny users="*" />
<allow users="Administrator" />
Administrator will be denied since it matched the first entry of deny... even though you specified to allow the Administrator user on the next line. So to only allow the Administrator, the correct syntax would be:
<allow users="Administrator" />
<deny users="*" />