I'm trying to use IIS Dynamic IP Restrictions to throttle requests from the same IP. I have the module running and the requests are nicely throttled if I edit the dynamic restrictions settings from the IIS UI. This is nice however I need to have different rates on different URLs. Login should be for example more strict than static resources. I'm trying to use locations in web.config to achieve this.

<configuration>
  <location path="foo">
  <system.webServer>   
    <security>     
      <dynamicIpSecurity enableLoggingOnlyMode="true">       
         <denyByRequestRate enabled="true" maxRequests="1" 
            requestIntervalInMilliseconds="5000" />
      </dynamicIpSecurity>
   </security>  
  </system.webServer> 
  </location>
</configuration>

Unfortunately, this doesn't apply. I'm quite sure it has nothing to do with my app because it doesn't work also on a static web with one HTML file. I'm also quite sure that the location path is correct, because the requests are blocked if I add ...<deny users="*" />.

This is not possible. From the module description:

This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.

Internally this is implemented as HttpModule (native HttpModule that is). HttpModule runs for every single request - location doesn't affect them. For reference check out Exclude certain pages from using a HTTPModule

So your only other option (if you need to support this exact module) is to organize your site to several mini-applications instead.

Like

/ -> root web application

/Content -> web application with static content

/Login -> web application with login functionality

And in every single mini-application create web.config with appropriate rules.