There are two ways to limit the pages to authenticated users.

The one is programmatically, the other is by using the web.config
Starting with web.config on this line you can limit what users can see and what, this is the line that control that:

<authorization>
  <allow users="?" />
</authorization>

and the details are here: http://msdn.microsoft.com/en-us/library/wce3kxhd(VS.100).aspx

By placing in a directory a web.config with this inside you block anyone from see anything.

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

and then you add additional permission to let some of them to see.

Other way is to go pro grammatically in each page you need authentication and add a code that check if this is true or not HttpContext.Current.User.Identity.IsAuthenticated

And there are the global.asax that you can make a broad check on the protected void Application_AuthenticateRequest(Object sender, EventArgs e) function that is called for every page.

Please note that if you have set requireSSL=true on the forms, then the Identity.IsAuthenticated is return correct results only on secured ssl pages, on all other pages return false.

And one relative question: Can some hacker steal the cookie from a user and login with that name on a web site?