The web.config file is not really a part of ASP.Net.
It is a Part of the IIS server that ASP.Net runs on.
it is a server level configuration file.
The same can be said of the .htaccess file.
It is a server level configuration file that is used to configure the Apache server.
The only way to password protect a directory on the server is through the server configuration. On an IIS server you use the web.config file. On an Apache server, you use the .htaccess file.
A php page cannot be used to password protect a directory.
Security Assist can be used to password protect your php pages, you would need to apply it to each page in the directory. If you create a new page, you will need to manually apply the Security Assist restrict access rule.
You can accomplish user level authentication in security assist, see the "User Level Authentication" tutorial in the Solution recipe section of the security assist support page:
securityassist/