The application sub directory MUST be set as an application on IIS. Also, you can not re-issue the authentication tag on the web.config for sub-directories, since this is not an overridable attribute, so just set it at the root level and it will automatically be inherited by the sub-directory of the application.

If you want the root of the directory to be open to anonymous connections but not a sub-dir you will need to define the authentication at the root but allow anonymous connections, and then just use the allow tag on the web.config in the sub-dir to allow only authenticated user.