Sorry for the delays, I keep all comments as moderated, I (as most others do) had a lot of problems with comment spam.
You should be able to leverage an HttpModule or Global.asax instead of modifying all pages in Page_Init. If the user is not authenticated, boot them out from there instead of letting it go all the way to your page. The link above to the KB article shows that you can use this same approach to check the canonicalization.
As for the pages that it only performs security checks on files it knows about, there is a catch-all entry in machine.config.
add verb="*" path="*" type="System.Web.HttpMethodNotAllowedHandler"
This assumes that the file extension in question is mapped to ASP.NET in your IIS settings. For instance, .htm and .html are not mapped to ASP.NET in IIS.