It is a good practice to encrypt your Web.config file if you have sensitive information there, for example a connection string with password.
With the ASP.NET IIS Registration tool (Aspnet_regiis.exe) you can easily encrypt specific sections of Web.config file. A command with elevated privileges is required.
Example using DataProtectionConfigurationProvider. This provider uses DPAPI to encrypt and decrypt data:
aspnet_regiis.exe -pef "connectionStrings" c:\inetpub\YourWebApp -prov "DataProtectionConfigurationProvider"
Example using RSAProtectedConfigurationProvider:
aspnet_regiis.exe -pef "connectionStrings" c:\inetpub\YourWebApp -prov "RSAProtectedConfigurationProvider"
If you do not specify the -prov parameter it uses RSAProtectedConfigurationProvider as default. This provider is recommended for Web Farm scenarios.
To get connectionStrings section back to clear text:
aspnet_regiis.exe -pdf "connectionStrings" c:\inetpub\YourWebApp
More information about the aspnet_regiis.exe is avaiable on MSDN.