Sometimes I'm surprised anyone with sensitive information uses IIS. There are so many web servers out there, and so many ways to skin any proverbial cat, that IIS for anything you'd ultimately aboslutely not want in someone else's hands shouldn't go into an IIS system, or sit on the same network as a publicly exposed IIS. Apache (php/Perl, etc), Tomcat (JSP), even WebSTAR for heaven's sake -- heck, it's not that difficult to write your own danged web server at this point -- are good alternatives.