"When IIS 6 was released as part of Windows Server 2003, it signaled a major change in the way that Microsoft approached security in its Web server.
Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved the Web server to a default profile that was much more secure.
This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was."
"During installation, we could choose from a wide variety of options and capabilities that we wanted to install with IIS 7.
The new modular design made it possible to give the Web server only the capabilities that it absolutely needed, which is a good way to avoid unnecessary exposure to security problems.
There are more than 40 modules currently available for IIS 7, handling everything from authentication to scripting support to backward compatibility.
Another big change in this version of IIS is the web.config file, an XML-based file that handles all of the core configuration for the Web server and can be easily ported to other servers (for example, when moving from development to staging servers)." - eWeek
Article Link: http://www.eweek.com/article2/0,1895,1988880,00.asp