First off - does anyone know if upgrading to 2015 adds any of the functionality I need?
I am running IIS 8.5 on a Win2012R2 server - not Linux based so no options for .htaccess type protection, that would make this easy.

I have a folder tree that prompts for a user/id and pwd.
It then gives access to a page with a small table of folder names - each folder contains files with random names
I need to be able to BROWSE the folders with these randomly named files (excel spreadsheets mostly with current inventory)
I need to setup IIS to allow DIRECTORY BROWSING.
Due to my need to DIRECTORY BROWSE, I do not have the option to put an index.php file in the folder - that would solve the problem if I could do that.

Not that it will affect the answer - but my folders are all https with an SSL-certificate.

My problem is that all of my folders are protected using the SECURE PAGE plug-in except for my browse-able folders.
Since they are browse-able there is no index.php thus no SECURE PAGE plug-in.

Is there a way to get the security to propagate down the tree. For instance, a structure such as
/www/ - my secure folder has index.php and prompts for user-id/pwd
/www/ - this folder has an index.php that lists my subfolders containing random-file names
/www/ - this is browse-able, no index.php
/www/ - this is browse-able, no index.php

The problem - if I navigate to - it will redirect me to the main secure-folder and prompt for the user-ID/pwd
But, if I navigate directly /www/ or folder2 - there is no index.php file and the folder is NOT protected, I do not get redirected to my /secure folder and asked for a user-id since there is no index.php file in this folder, just a list of files

Is there a way to protect folder1 and folder2 so if I am not logged in I can't get to it which I currently can?

Thanks all.