If you do not already have a web.config file you will need to use a text editor and save the file as web.config, add the appropriate content and then place the web.config in the folder you would like to protect.

Your web.config file should look like this

Code:
<?xml version="1.0"?>
<configuration>
   <system.webServer>
     <modules runAllManagedModulesForAllRequests="true"/>
   </system.webServer>
</configuration>
You will then place this code right after the

Code:
<system.webServer>
Here is an example of how to allow all, but block specific IPs or networks

Code:
<security>
   <ipSecurity allowUnlisted="true">    
       <clear/>                    
       <add ipAddress="1.1.1.1"/>     <!-- blocks the specific IP of 1.1.1.1  -->                
       <add ipAddress="1.1.1.0" subnetMask="255.255.255.0"/>     <!--blocks network 1.1.1.0 to 1.1.1.255-->                
       <add ipAddress="1.1.0.0" subnetMask="255.255.0.0"/>     <!--blocks network 1.1.0.0 to 1.1.255.255-->                
       <add ipAddress="1.0.0.0" subnetMask="255.0.0.0"/>     <!--blocks entire /8 network of 1.0.0.0 to 1.255.255.255-->                
   </ipSecurity>
</security>