As with all IIS usage I think the Lockdown Tool Kit fro Microsoft is just as essential as IIS ? with out it you may as well open the front door on your server and give the world the keys.

As for ASP .NET?I can just hope you have made sufficient changes to the Local Security Policy settings as the user ASP .NET is not exploited by anyone who wants to just let them selves in.