I am curious whether the order in which you supply the <allow> and <deny> elements in the element does matter?

Yes, the order matters. This page describes the basic principles: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx. As per the page, a list of authorization rules is built up from the hierarchy of config files and then the first match wins.

This SO question has a nice example: ASP.NET Forms Auth Allowing access to specific file in subdirectory when all others should be denied