I found a few different question here that explain how to make sure CSS loads properly without the user being logged in: CSS not being applied on non authenticated ASP.NET page.
Why does this problem only happen in the development environment, and not in production? If the problem is that web.config says that non-authenticated users cannot access the css files, then why does it work fine in production? It seems that in web.config should prevent that access in both production and development.
The answer is simple.
In your dev environment this is the asp.net engine which serves all the content, static and dynamic. Thus, authorization rules apply to both.
In your prod, iis routes dynamic requests to asp.net page handler but requests to static content is handled by iis. Thus, authorization does not apply as the asp.net is not involved in requests to jpgs, csses and other static assets.
If you want a uniform semantics between environments, you'd have to turn on running all managed modules for all requests, this is a setting of your asp.net web application. It routes all requests via asp.net which causes the engine to apply all modules (including the url authorization module) for all requests.
