Well, this is meant to be a more technical blog, and I got in my mini ra-ra post yesterday, but I was happy to see Mary Jo Foley pointing to this eWeek article, "IIS Rounds the Security Corner". I've personally been at Microsoft from five years now and I've watched and participated in Microsoft's efforts to make security a fundamental part of the software engineering process. It's still a continuing effort, as Internet Explorer shows, but we have made even more progress since Windows 2003 as demonstrated in the springboards in XPSP2 and further improvements in our methods such as the static code analysis tools and a maturing Threat Modelling process.
There have been application compatability costs to some of our choices, such as described step 11 in this Pre-Post IIS6 Installation task list: "There are limits on the url content, url segment length, client submission size, etc. Also HTTP.sys strictly enforces http 1.1 and 1.0 standards. If you have a monitoring system delivering sloppy requests to IIS 6, those may get rejected and there is no "AcceptSloppyHTTP" registry settings." I will try to write an entry on what some of the gotcha's a few of our customers have seen.