I've encrypted connection Strings section in web.config as described in the article below:
Walkthrough: Encrypting Configuration Information Using Protected Configuration
http://msdn.microsoft.com/en-us/library/dtkwfdky(v=vs.100).aspx
It works as expected.
But it still works after I revoked access to "NetFrameworkConfigurationKey" using this command and restarted IIS:
aspnet_regiis.exe -pr "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
I've reconfigured application pool to use a newly created user, and this user is able to access encrypted section without granted permission to "NetFrameworkConfigurationKey"!
So I'm wondering how to revoke access to an encryption key for a specific user.