It must really hurt developers at Microsoft to design IIS6 the way they've been designing it. It's been basic Microsoft philosophy forever to make products as available, as scriptable, and as powerful as possible. Things have changed. After two years of assaults from security consultants and Internet vandals, Microsoft has decided that discretion--when it comes to an Internet service--is the better part of valor. Now they have to sit and think of ways to prevent users from accessing features.

Since so many companies running Windows 2000 and NT4 had unknowingly installed IIS--until they were victimized--Microsoft has wisely seen fit to alter the default configuration for IIS6. After you install Windows .Net Server, IIS6 may or may not even be installed, depending on your license. Once it's installed, it is not automatically enabled. Once enabled, its default configuration is a locked-down state that can't do anything really useful. You must enable the features. Beyond that, there are new filtering features borrowed from firewalls, such as the ability to filter out potential attacking requests before they are processed. All this--in combination with the new Web Server Edition, and if Microsoft's performance claims for IIS6 are true--could make IIS6 very popular in hosting environments and other pure Web applications.

M$ has really dug thier own grave with IIs, it sucks and people are aware of it's security past.
With better, more stable, free alternatives such as nix running apache why use IIs for anything more than a ccorporate intranet.