I have a web service that contains 2 asmx files (public.asmx and private.asmx). On IIS6 I could go to the properties of private.asmx then, from the 'File Security' tab, deny all computers access except the IP address for localhost.

In IIS7 I only seem to be able to do this for an entire folder. What am I missing?

Funny - I found this question because I have the same problem, but I think the solution is as follows:

1. In IIS7, browse to the directory containing your public.asmx and private.asmx files.
2. The title at the top will reflect the current directory, like "WebService Home". Click the "Content View" button at the bottom.
3. Right-click on your public.asmx file and choose "Switch to Features View".
4. The title should be "public.asmx Home" to confirm that you're managing the one file.
5. Add your IP restrictions. In this case, I think you want an Allow entry for 127.0.0.1 and choose "Edit Feature Settings" from the Action menu to Deny access to unspecified clients.
6. Click your containing folder again (e.g. WebService) and switch to Content View again to repeat these steps on private.asmx.

I am learning the ropes of IIS7 myself, but I hope this answers your question.

Found this question via Google and was looking for how to do it via the .config file but could not find that answer here. I've since tracked down the info:

The ipSecurity element is used by the web.config in IIS7 to restrict access by IP Address. You can use it like this:

<configuration>
    <location path="private.asmx">
        <system.webServer>
            <security>
                <ipSecurity>
                    <add ipAddress="192.168.100.1" />
                    <add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
                </ipSecurity>
            </security>
        </system.webServer>
    </location>
</configuration>

Update: Note that the role has to be added for this security to be enabled. See the ipSecurity article linked above.