ASP.NET grants access from the configuration file as a matter of precedence. In case of a potential conflict, the first occurring grant takes precedence. So,
deny user="?"
denies access to the anonymous user. Then
allow users="dan,matthew"
grants access to that user. Finally, it denies access to everyone. This shakes out as everyone except dan,matthew is denied access.
Edited to add: and as @Deviant points out, denying access to unauthenticated is pointless, since the last entry includes unauthenticated as well. A good blog entry discussing this topic can be found at: Guru Sarkar’s Blog