First, let me qualify that I know NOTHING of IIS (which I assume is the server you are using) or ASP - I use Apache.
I'm a bit confused here.
You say that you "have the normal user authentication on each page of the site that is users only".
I take that as meaning that you've been successful in making parts of your site off-limits except to logged-in users.
So, why not simply do exactly the same thing for the URLs for the pictures that you have done for the other members-only URLs?
What am I missing?