Found this using google (google is free for everyone to use, BTW):
Place a separate web.config file in the desired folder that will deny access to every request to that folder if the user isn't in the Admin role.
It would look something like this:
<location path="MySecureFolder">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>