"When IIS 6 was released as part of Windows Server 2003, it signaled a
major change in the way that Microsoft approached security in its Web
server.
Versions of IIS prior to 6 were the main points of attack for
major worms and viruses such as Nimda. With IIS 6, Microsoft moved the
Web server to a default profile that was much more secure.
This and other security improvements have paid off, as IIS is nowhere near the major security problem it once was."
"During installation, we could choose from a wide variety of options and capabilities that we wanted to install with IIS 7.
The new modular design made it possible to give the Web server
only the capabilities that it absolutely needed, which is a good way to
avoid unnecessary exposure to security problems.
There are more than 40 modules currently available for IIS 7,
handling everything from authentication to scripting support to
backward compatibility.
Another big change in this version of IIS is the web.config
file, an XML-based file that handles all of the core configuration for
the Web server and can be easily ported to other servers (for example,
when moving from development to staging servers)." – eWeek
Article Link: http://www.eweek.com/article2/0,1895,1988880,00.asp
