http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp 
Above superceded by below
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=33961

URLScan Security Tool 
Microsoft has developed a tool that lets web server administrators ensure the security of their servers. The tool, URLScan, screens all incoming requests to the server, and filters them based on rules set by the administrator. This significantly improves the security of the server by helping ensure that it only responds to valid requests. 

URLScan is effective in protecting web servers because most attacks share a common characteristic – they involve the use of a request that’s unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests. By filtering out all unusual requests, URLScan prevents them from reaching the server and potentially causing damage. 

URLScan is extremely flexible. Its default rule set fully protects a server against virtually all known security vulnerabilities affecting IIS, as well as potentially protecting against additional, as-yet undiscovered attack methods. The default rules can be modified – and new rules can be added – in order to customize the tool’s actions to match the needs of a particular server. 

Microsoft recommends that the tool only be used by experienced web administrators, as it is possible to configure the filters in a way that would interfere with normal web site operation. The tool is available for downloading at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571. Detailed instructions for installing and using it are available in the download package, or in Microsoft Knowledge Base article Q307608.