try to set allow "*" under authorization section using location element for your virtual directory.
If Valdis solution doesn't work, check these settings also
<add name="StaticFileHandler" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
Thanks both for the responses, it helped me narrow down the cause.
It turns out that while "Anonymous Authentication" was enabled for that virtual directory in IIS7, when I edited that property, the "Anonymous user identity" was set to "Specific user:" rather than the "Application pool identity" which obviously had permissions.
Changed it over and it's working correctly now.
We have a Virtual Directory set up within IIS to point to a directory full of images.
When browsing to one of the images within this folder, Episerver throws a prompt to log in.
If the log in is successful, the image is shown but we'd like this to be available to anonymous users.
Would anyone know what permissionconfig needs to change to allow this?