David has posted two articles about his thoughts on IIS Security vs. Apache which I would like to recommend to you: