Last week I was playing around with the ASP.NET SiteMaps and even though out of the box, it gives you Roles based security, it's not used at runtime.
What do I mean? When I create a Web.sitemap, populate it properly with my pages, Urls AND Roles, the nodes for those roles still show up in my TreeView even though I'm not logged in. What's up with that?
This week from my study group, I learned the secret. Come in closer for this, this is good! Turns out the defaults used for the SiteMaps don't actually use the Roles out of the box, you need to do a bit more work. Namely add a siteMap node to your Web.config and make sure you have securityTrimmingEnabled="true", then you'll have the menus hidden if you're not logged in or don't have the appropriate role specified.
Reference: Source of web.config siteMap information I Googled to get the right xml node