There are 2 parts to using Windows Authentication within a website; Authentication and Authorization.
The way your web.config is setup is to use Windows Authentication, and you are Authorizing All Users from that.
What I believe you want is to not go through that Windows Authentication; so for that directory you would need to set it to Anonymous Authentication
<location path="">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
ASP.NET Web.config authentication/authorization settings - Stack Overflow[
^]
It does get a little tricky to work with; I would be tempted to make a 1 page website and make it a separate web application that is just "open"