I guess it's possible to use the same web.config. But I also guess your problem isn't the config file but the IIS settings.
Are you sure have configured IIS correctly? http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true
I have an EPiServer 6 R2 app build on .net 4. Hosting the app on IIS7 with Integrated mode the app works like it should. When I move the app on IIS6 on .net 4 (making the appropriate changes on the same web.config file ) the application ignores the authorization for edit/admin mode of the app and gives na unauthorized user access to edit/admin. Is it posible to do it in the same web.config or I should create a separate ones for both IIS versions?