It is entirely possible for a user to be a member of no roles, yet to authenticate successfully. In fact, this condition occurred recently on a web app where the admin added a user and didn't assign any roles. Some resources failed because they expected a role, and I think there's a use for this scenario (authentication + no roles) that should be supported. However, despite documentation stating that in the authorization section, one can use "?" and "*" for both roles and users, the fact is using either with roles fails with an error:
Authorization rule names cannot contain the '?' character.
So the question: is there some way, using security trimming, to accomplish denial to authenticated users without any roles? I am NOT looking for solutions based on coding - I already know how to do that.