If you haven't heard of this elsewhere already, please review this immediately:
A best practice is to install URLScan as it will block some of the possible exploits mentioned in the links above. **Don't consider it a full solution though**, the global.asax solution in the KB article is the true solution.
Notes on URLScan
http://www.microsoft.com/technet/security/tools/urlscan.mspx?#e (It's hidden but the link to the download is on that page)
URLScan is an easy install but it disables asp and asa pages by default as well as exe, com and other files so I suggest you review %windir%/system32/inetsrv/urlscan/urlscan.ini to ensure that it doesn't tighten your server too much.
Note, a reset of IIS is required for any changes to take affect.