A paper on IIS 6.0 security. IIS 6.0 is much more secure out-of-the-box than II5, which means the challenge comes in opening 6.0 up enough to make it work (whereas 5.0 needs closed down enough to be secure). This is easier said than done when unfamiliar with what is actually needing to be opened up…
Want to know how to Hack IIS? Then read the Hacking IIS Tutorial. I have not read this yet, but it looks pretty useful and thorough.