So what settings do I need to have in the IIS Crypto program to achieve this?

Lost, Always make sure you backup the registry before to play it safe but after you have done that the way I see it is you launch IIS Crypto and either manually choose which Protocols, Ciphers, Hashes and Key Exchanges to use or you could just click Best Practices and have the program make the selections for you. Once you click Apply the program will make the registry changes for you after which you will need to reboot the server. For the program to work I believe the latest version needs .Net version 4 installed but I believe they have a .Net 2 version as well. Their website should tell you. Hope this helps.

Take care, x

This is a really good article and would have been great if you included something like this to finish it off for those of us who don't understand cryptography as well as you do.

https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy

Enabling forward secrecy can be done in two steps:
1.Configure your server to actively select the most desirable suite from the list offered by SSL clients.
2.Put ECDHE and DHE suites to the top of your list. (The order is important; because ECDHE suites are faster, you want to use them whenever clients supports them.)
Knowing which suites to enable and move to the top can be tricky, because not all browsers (devices) support all forward secrecy suites. At this point you may want to look for inspiration from those who are already supporting forward secrecy, for example Google.
In the nutshell, these are some of the suites you might want to enable3 and push (close) to the top:
•TLS_ECDHE_RSA_WITH_RC4_128_SHA
•TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
•TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
•TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA