Here is a stub web.config file that worked in my testing under IIS 7.5 (Windows Server 2012). I placed it in the media folder of my test site, and it successfully protected all of the files in or below media from users not in the listed roles.
The nice thing about this is that it works just as you'd want it to. When you make a request to a file in a protected folder, and you're not signed in, then you are redirected to the mojoPortal login page for the site. If you authenticate successfully, and are in the listed roles, then you'll be served the requested file immediately.
<?xml version="1.0" encoding="utf-8"?>
<allow roles="role1, role2" />
<deny users="*" />
Edit: Sorry, I had deny users="?", and it needs to be deny users="*" to only allow particular roles.