A tip for anyone struggling with restricting access to a specific AD group, Windows has a tendency to cache credentials and user tokens for a really long time, it seems like it takes up to an hour between adding or removing someone from an AD group to getting the correct results from the IIS web app after configuring the setting
<add key="Allow" value="DOMAIN\GROUP1,DOMAIN\GROUP2"/>
During my initial testing I wasn’t patient enough and wound up thinking the domain group stuff was broken, so when I got it to work and log people in with DOMAIN\Domain Users I just left it like that.
I recently tried again with a dedicated DOMAIN\Discourse Forum Users group and rebooted the IIS server after adding it, that made it work. I’m not an IIS expert so I’m not sure how to tweak those access token cache periods correctly, but it will eventually update itself if you’re not in a hurry.