URLScan Security Component for Windows NT/2000 Servers and IIS 5.x
While most people know and use the IIS Lockdown tool, few install the URLScan companion piece. I strongly recommend that this utility be installed on all servers running IIS 5.x, this is as important as staying up to date with critical fixes. Much of the functionality is available in IIS6, but why wait to upgrade when you can get that peace of mind for free today?
From the summary: "URLScan is an ISAPI filter that allows Web site administrators to restrict the kind of HTTP requests that the server will process. By blocking specific HTTP requests, the URLScan filter prevents potentially harmful requests from reaching the server and causing damage."
Many features provided by URLScan are baked into IIS6, other potential problems are avoided entirely by IIS6's redesigned page and security models. The URLScan home page provides an excellent walk-through of URLScan features vs. built-in IIS6 functionality.
Still running ASP.NET sites on IIS5? Install it!