Read the following:
Form authentication and authorization in ASP.NET[
^]
By setting deny to ? it allows any authenticated user to access the page. You need to set deny to * (Block everyone) with just the exceptions listed under allow. Try the following:
<authentication mode="Forms">
<forms name="login" defaultUrl="Login.aspx" loginUrl="Login.aspx" timeout="120"/>
</authentication>
<authorization>
<allow users="admin,coal" />
<deny users="*" />
</authorization>