First, since your boss deleted the ASPNet account, you are likely going to have problems since this is the account your applications use to run. By default, this account has very few privileges and a very strong password, so your boss may have been a little gung ho in deleting it. Since they did this, you will likely have to create a custom account for this. More information here:
http://msdn.microsoft.com/library/de...SecNetHT01.asp
-------------------------------------------------------
But, to your questions. Yes you will need:
authentication mode="Windows"
You should also add:
<deny users="?" />
under "Authorization". This will deny any unauthorized users. Since you are using Windows authentication, you shouldn't need to add a username and password(but you can if you want to and the link above has examples). Using impersonation will pull it from your logon. Also make sure that you uncheck "Anonymous" access in IIS.
If you are connecting from a computer outside your network and assuming your web server is on the Internet, you will get a logon box pop up when you try to access your application. Simply put in your Windows username, password, and domain. If it is an Intranet application, you will be granted or denied based upon your windows logon(if you don't have access, your will get that same popup box).
Note that your will have to be authorized to access not only the application folder, but any other folder that your boss has locked down. Also, if this is a database application you may have to be granted access to the database (if it is SQL Server, you will have to use Windows authentication).
J
identity impersonate
