Following is my folder structure.
I need to apply authorization rules for all files under secret folder (including Bear.bmp).
Following is my updated Web.config after adding the handler mapping. 
The SecretFile.aspx is restricted however, Bear.bmp is still accessible for anonymous users. Am I missing anything?
Thanks!