If you do a View -> Source on your ASP.Net web forms page, you will be able to see the ViewState <input /> field, with the ID __VIEWSTATE. This is nothing but the state of the controls in the page. In general the __VIEWSTATE is a base 64 encoded string, meaning, anybody could decode it and alter/view the state.
In order to prevent that you could add EnableViewStateMAC to your page which would encrypt the __VIEWSTATE data so that nobody could decode and view it without knowing the encryption algorithm and the key which is only known to the server. MAC is nothing but Message Authentication Check.
Refer to the link below:
http://msdn.microsoft.com/en-us/library/ms972976.aspx[
^]
Especially the section "View State and Security Implications"
Hope this helps!