explain ...
I suspect that some users are connecting with the anonymous (or other e.g. impersonate) credentials which allow access and some credentials dont have the privs.
authentication scheme can be specified in the properties tab for the site under IIS admin. Can also be set in the web.config for the virtual directory or at the site level.

Post the web.config (located in VD) here. Look in properties tab for VD in IIS admin to see the security settings.