A user trying to reach a file in the app_data or app_code directory will not succeed because those are protected by the framework. The same goes with the bin directory files. But, if a user tries to pull the .vb version of account.aspx, for example, the server will try to interpret that file and return something like:
"Unable to cast object of type 'System.Web.HttpForbiddenHandler' to type 'System.Web.UI.Page'."
Is this normal?