ASP.NET defines different folders for you to add your data in, your code, user data, references can all be saved in those folders, and ASP.NET will automatically just deny any request to those folders and any thing in them will be safe and un-accessible. Using these folders is a better move rather than creating your own logic to control the URLs where the user can navigate to and where not to.
You will get the list here,
http://msdn.microsoft.com/en-us/library/ex526337.aspx[
^]. Mostly used folders are App_Data, App_Code.
- App_Code: Used to store all your server-side code, such as C# class files etc.
- App_Data: Can contain the databases and other data that needs to be made secure.
There are folders meant for each and every purpose whose list can be easily read at the MSDN post link I have given. Read them and use them as required. ASP.NET will take care of the security and all other stuff required and the user will always see a 404 when surfing to the location where they're present.
Secondly, from your web.config folder you can add the error to the location of your folder, so that when user makes a request to that folder he gets a 404.