CYA: Securing IIS 6.0: Cover Your A** By Getting It Right the First Time

Familiarize yourself with the available authentication methods, and the benefits and drawbacks of each. For basic authentication, evaluate the need for SSL to secure transmission of user credentials. For digest and IWA, ensure that your client browsers support these authentication mechanisms, and your server and network support the prerequisites for using these authentication mechanisms.
Configure user accounts with the minimum privileges required for IIS web functionality.
Are aware of which user account settings must to be configured so that you can isolate web applications from each other if required.
Are familiar with the URLScan tool from Microsoft, and how it can help secure your Web server by providing an additional defensive layer.
Configure appropriate application settings to protect your web applications from information disclosure attacks. You should develop custom application error pages that inform your developers of errors while hiding configuration information from malicious attackers. You should secure include files that may contain sensitive configuration information about your application.
Be aware of the new Authorization Manager functionality included with Windows 2003, and how it allows for role-based authorization, as compared with the traditional ACE authorization method traditionally used to secure access to resources.