IIS Forms Authentication (php, asp.net server side login)

If the site requires the user to authenticate, then you should remove the anonymous access and allowing only windows integrated. Page.User.Identity.Name returns a blank because anonymous authentication is used over windows integrated.

If this is a domain then allow roles should be in the form domain\security group. "?" in deny users usually is enough to block anonymous access.

<identity impersonate="true" /> might be useful if your code needs to access a resource which needs to authenticate as the user that's using your application.

For future reference, this looks like a misunderstanding between authentication modes.

IIS 7+ has two modes - one using a built-in HTTP-level set of authentication options - in <system.webServer>, and one for ASP.Net, in <system.web>.

The ASP.Net behaviours don't become available until you run an ASP.Net handler - whether in Classic or Integrated mode - and then still (usually) apply after the IIS-level system.webServer/security settings.

In the example above, the addition of an ASP.Net page changed the behaviour for (at least) that page, and I'd guess possibly added wildcard handler mappings to handle extensionless URLs through .Net.

There's then also the URL Authorization (IIS, i.e. system.webServer) vs .Net Authorization (.Net, i.e. system.web) rules to consider - in general, pick one set per app and stick to it.