Well there are different types of authentication modes that you can use to authenticate users. By default ASP.NET web applications (and websites) are configured to use Windows Authentication.
We should take a step back actually...
When the browser makes a request for your website, IIS needs to authenticate the user in order to create a Windows token that represents the user that will be running the website.
The Windows token created is the user account that the website is run under. By default the application is set up to allow for anonymous authentication so the Windows token created is for the IUSR_MACHINE account.
After IIS authenticates the user, ASP.NET authenticates the user. ASP.NET looks at the web.config to determine what type of authentication should be used to authenticate the user.
In this case, by default, ASP.NET uses Windows authentication to authenticate the user; however, it could be configured to use Passport, or Forms authentication instead.
Forms authentication is pretty cool and I recommend that you take a look into it to educate yourself on what it is all about and how it might help you. You could also check out Passport authentication as well but it's a proprietary authentication service provided by Windows that you have to pay for to use.
For a better explanation of what's going on take a look on MSDN:
There are Tons of articles out there on the topic...
-Frinny