If have the following web.config:

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms name="MembershipCookie" 
             loginUrl="Login.aspx" 
             protection="All" 
             timeout="525600" 
             slidingExpiration="true" 
             enableCrossAppRedirects="true" 
             path="/" />
    </authentication>
    <authorization>
      <deny users="?"  />
    </authorization>
  </system.web>
  <location path="Default.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

The application is an ASP.NET 2.0 application running on Windows 2008R2/IIS7.5.

If the site's application pool is configured to run ASP.NET 2.0 and I browse to http://example.com then Default.aspx is rendered as you'd expect from the rules above.

However if the application pool is set to run ASP.NET 4.0 I am redirected to the login page. If I explicitly specify http://example.com/default.aspx then all is good and default.aspx renders.

I've tried rewriting / -> /default.aspx (using IIS UrlRewriter 2.0) but the result is still the same, I get kicked to the login page.

I've also tried this with an ASP.NET 4.0 application with the same result (which is where the problem initially arose). The reason I tried this with a 2.0 application was to see if there was a change in behaviour, and it seems that / is handled differently in 4.0.

So to summarise, using the configuration above the following is observed:

ASP.NET Version  Url                                 Behaviour
-------------------------------------------------------------------------
2.0              http://example.com                  Renders Default.aspx
2.0              http://example.com/Default.aspx     Renders Default.aspx
4.0              http://example.com                  Redirects to Login.aspx
4.0              http://example.com/Default.aspx     Renders Default.aspx

Is this a bug/breaking change or have I missed something glaringly obvious?