If you map your image file extension(s) to be handled by aspnet_isapi.dll in
the IIS properties for your application, you could then map them to the
StaticFileHandler in your web.config, which will cause ASP.NET to apply your
authorization settings to the files while allowing them to display as-is if
authorization passes. For details on the technique, see
want to use the StaticFileHandler rather than the HttpForbiddenHandler).