This is due to the handler in web.config.
By default, .config gets a HttpForbiddenHandler (except for
..exe.config and .dll.config which get StaticFileHandler - at least on
my setup).
I strongly suggest that you leave this alone; otherwise it allows
people to snoop at your configuration, which is not great, even if it
is encrypted (which many aren't).
If the file is actually the config for an app, either use the above (I
can't remember if this is default or custom), or use the ClickOnce
trick and add .deploy to the name, i.e. myapp.exe.deploy,
myapp.exe.config.deploy - and strip it again after download.
If the config in question is in a sub-folder, you could add a
web.config, remove the existing .config handler and add a new one.
Standard web.config stuff. Let me know if you don't know how.
Marc