IIS 7 by default doesn’t server some website folders and files such App_Data, App_Code, bin, App_GlobalResourses, App_LocalResources, Web.config, etc.
Open Internet Information Services Manager and select the website that you are interesting in denying web access to certain folders within that site. You can either add a properly configured web.config file to the website root, or add a web.config file within the particular sub-directory of the root, to block access to those directories / folders from web browsers.
Or you can use Request Filtering to Add a “Deny” list for each folder you want to restrict access, such as /data/, /_cgi-bin/, /admin/, etc. This deny sequence list can be configured in the web.config file within the root, or you can deny access by creating a properly scripted web.config file within the 'denied' sub-folder itself.