There’s an article by Rohyt Belani and Michael Muckin up on SecurityFocus that provides a great overview of the security features of IIS 6.0. From the conclusion:
IIS 6.0 Security
…IIS 6.0 is a step in the right direction, by Microsoft, to help organizations improve their security postures. It provides a reliable and secure infrastructure to host web applications. The improved security can be attributed to the secure default configuration, the evident emphasis to security in the design process and enhanced monitoring and logging capabilities of the IIS 6.0 server.