In response to the comment about apache on unix being "much more secure", I don't buy it. As far as I'm concerned, it's simply one of those persistant myths that IIS is any less secure than any other web server including Apache. An uniformed adminsitrator is just as likely to deploy an insecure apache server as they are an IIS server.

Oh, BTW, you might enjoy checking out the the 44 security flaws found by graduate students recently.
http://cr.yp.to/2004-494.html