authentication - deny user="*" not working properly means even not logged into specified page -

<location path="admin">     <system.web>       <authorization>         <allow roles="208"/>         <deny users="*"/>       </authorization>     </system.web>   </location> 

if use this<deny users="?"/> access folder pages.
please me.