In IIS 7 best way to restrict IP is by using the config file.

在 IIS 7 中，限制 IP 的最佳方法是使用配置文件。

Full article:
http://boseca.blogspot.com/2010/12/programmatically-addremove-ip-security.html

全文：http:
//boseca.blogspot.com/2010/12/programmatically-addremove-ip-security.html

Here is an article from Microsofton how to do this.

这是Microsoft的一篇关于如何执行此操作的文章。

Setting Folder Security by IP Address or Domain Name

通过 IP 地址或域名设置文件夹安全

Apache uses the Allow and Deny directives to determine the sites that can access a particular Web site or folder. However, Apache provides discretionary access control; you must either deny all sites and provide a specific list of sites or IP addresses that can access a folder or allow all sites and deny only those sites that you do not want to have access. For example, if you use the following directive, all client computers are denied access unless they are recognized as part of the domain.com domain:

Apache 使用 Allow 和 Deny 指令来确定可以访问特定网站或文件夹的站点。但是，Apache 提供了自由访问控制；您必须拒绝所有站点并提供可以访问文件夹的特定站点或 IP 地址列表，或者允许所有站点并仅拒绝您不想访问的那些站点。例如，如果您使用以下指令，所有客户端计算机都将被拒绝访问，除非它们被识别为 domain.com 域的一部分：

Deny from all
Allow from .domain.com

拒绝所有
来自 .domain.com 的允许

IIS works the same way. All clients are specifically denied or granted access, except for those that are listed.

IIS 的工作方式相同。除了列出的那些客户端之外，所有客户端都被明确拒绝或授予访问权限。

Define Access Control for Specific Folder or Site

为特定文件夹或站点定义访问控制

• Log on to the Web server computer as an administrator.
• Click Start, point to Settings, and then click Control Panel.
• Double-click Administrative Tools, and then double click Internet Services Manager.

• If you want to limit access for the whole site, select the Web site from the list of different served sites in the left pane.

• If you want to limit access only for a specific folder, click the folder you want to control.

• Right-click the Web site or folder, and then click Properties.
• Click the Directory Security panel.
• If you want to limit access to a specific set of sites but deny access to all other sites, click Denied Access.
• If you want to grant access to all clients by default but exclude a specific list of clients, click Granted Access.
• To update the list of hosts or domains in the Except list, click Add.
• To add a single computer to the list, click Single computer, type the IP address in the appropriate box, and then click OK.
• To add a range of computers in a specific address range, click Group of computers, type the IP address for the network in the appropriate box, type the subnet mask for the network range you want to configure, and then click OK.
• To add computers by their identified domain name, click Domain name, and then type the domain name in the appropriate box.
• Click Properties, type the domain name, and then click OK.
• Click OK, and then click OK.

• 以管理员身份登录到 Web 服务器计算机。
• 单击开始，指向设置，然后单击控制面板。
• 双击管理工具，然后双击 Internet 服务管理器。

• 如果要限制对整个站点的访问，请从左窗格中的不同服务站点列表中选择该 Web 站点。

• 如果您只想限制对特定文件夹的访问，请单击您要控制的文件夹。

• 右键单击该网站或文件夹，然后单击“属性”。
• 单击目录安全面板。
• 如果要限制对一组特定站点的访问但拒绝对所有其他站点的访问，请单击拒绝访问。
• 如果要默认授予所有客户端的访问权限但排除特定的客户端列表，请单击“授予访问权限”。
• 要更新“除外”列表中的主机或域列表，请单击“添加”。
• 要将单台计算机添加到列表中，请单击“单台计算机”，在适当的框中键入 IP 地址，然后单击“确定”。
• 要在特定地址范围内添加一系列计算机，请单击计算机组，在适当的框中键入网络的 IP 地址，键入要配置的网络范围的子网掩码，然后单击确定。
• 要按识别的域名添加计算机，请单击域名，然后在相应的框中键入域名。
• 单击“属性”，键入域名，然后单击“确定”。
• 单击确定，然后单击确定。

NOTE: If you use domain name restrictions, the server has to perform a reverse DNS lookup for each request to check the host's registered domain name. Microsoft recommends that you use an IP address or network range whenever you can.

注意：如果您使用域名限制，服务器必须为每个请求执行反向 DNS 查找以检查主机的注册域名。Microsoft 建议您尽可能使用 IP 地址或网络范围。

One way is using a HttpModule.

一种方法是使用HttpModule。

From the link (in case it ever goes away):

从链接（以防它消失）：

/// <summary>
/// HTTP module to restrict access by IP address
/// </summary>

public class SecurityHttpModule : IHttpModule
{
 public SecurityHttpModule() { }

    public void Init(HttpApplication context)
    {
        context.BeginRequest += new EventHandler(Application_BeginRequest);
    }

    private void Application_BeginRequest(object source, EventArgs e)
    {
        HttpContext context = ((HttpApplication)source).Context;
        string ipAddress = context.Request.UserHostAddress;
        if (!IsValidIpAddress(ipAddress))
        {
            context.Response.StatusCode = 403;  // (Forbidden)

        }
    }

    private bool IsValidIpAddress(string ipAddress)
    {
        return (ipAddress == "127.0.0.1");
    }

    public void Dispose() { /* clean up */ }
}

Once the HTTP Module class is built you need to register it in the httpModules section of your web.config file, like this:

一旦构建了 HTTP Module 类，您需要在 web.config 文件的 httpModules 部分中注册它，如下所示：

<configuration>
    <system.web>
        <httpModules>
            <add name="SecurityHttpModule" type="SecurityHttpModule"/>
        </httpModules>
    </system.web>
</configuration>

This adds the module to the ASP.NET request pipeline for your web application.

这会将模块添加到 Web 应用程序的 ASP.NET 请求管道。