The whole idea is wrong. Security is not done be preventing the user to change any URL. It's not under your control; the user, by definition, can enter any thinkable URL and send any HTTP request with that URL, even the request which cannot be sent based on any of your pages — and you should always assume that any HTTP request is possible, without any limitations.
The security starts when your code behind (in your case, ASP.NET code) handles an HTTP request. Then you have to detect that the user is not authenticated and generate appropriate page content, for example, the page redirecting to your Login page. This is just one of the fundamentals of authentication. If the user is authenticated, the content of other pages may depend on the user's record.
You can start here:
ASP.NET Authentication.
See also:
HttpRequest.IsAuthenticated Property (System.Web).
—SA