I have several files on my ASP.NET site that are for use solely by the application. Currently, they can be viewed in a browser by just using the URL. Is there a way to prevent this without actually moving the file or do I need to move the files to a different directory, such as _private?
If you are able to install software on the server, you can install Microsofts URLScan for IIS to restrict what files IIS will serve. This will be for the whole server however, rather than just the application.
You should also be able to do so on a site basis, using the web.config file, the details are here, they are for IIS 5 and .net 1.1 but the principal is the same.
Use the IIS Manager to block them individually by navigating to the file, right clicking on it, and removing the check from the read checkbox.
OR
Use IIS manager to create a rule for a file type (see this web page: support.microsoft.com/kb/815152)
Configuration and data files that are for internal use only should be placed in the App_Data folder:
The App_Data Folder
To improve the security of the data used by your ASP.NET application, a new subfolder named App_Data has been added for ASP.NET applications. Files stored in the App_Data folder are not returned in response to direct HTTP requests, which makes the App_Data folder the recommended location for data stored with your application, including .mdf (SQL Server Express Edition), .mdb (Microsoft Access), or XML files. Note that when using the App_Data folder to store your application data, the identity of your application has read and write permissions to the App_Data folder.
What's new in ASP.NET Data Access