Best practice

Sorry am under time constraint. What is the best practice in placing published app files on the webserver, like in it's wwwroot or above
it and should the web.config or all pertaining files be encrypted as in will
these be secure from any web user from getting to it? Thanks in advance.