Within your Inetpub\wwwroot\<virtual_server> folder, you should have separate folders for:
Executable files  (.bat, .cmd, .pl, .exe)                              Script files      (.asp)                              Include files     (.inc, .shtm, .shtm)                              Static content    (.jpg, .gif, .htm, .html)
Set the following permissions for Executable, Script, and Include file folders:
Everyone       (X)                              Administrators (Full Control)                              System         (Full Control)
Set the following permissions for Static content folders:
Everyone       (R)                              Administrators (Full Control)                              System         (Full Control)
Since the Inetpub\FTProot and the Inetpub\Mailroot folders usually require anonymous access for read and write, put these folders on a separate partition and set disk quotas for the Everyone group. This will alert you when the folder fills up from a denial of service attack.

To prevent your log files from being altered by intruders, set the following permissions on the log files in the %SystemRoot%\system32\LogFiles folder:

Administrators (Full Control)                              System         (Full Control)                              Everyone       (Read)