Within your Inetpub\wwwroot\<virtual_server> folder, you should have separate folders for:
Executable files  (<b>.bat</b>, <b>.cmd</b>, <b>.pl</b>, <b>.exe</b>)
Script files      (<b>.asp</b>)
Include files     (<b>.inc</b>, <b>.shtm</b>, <b>.shtm</b>)
Static content    (<b>.jpg</b>, <b>.gif</b>, <b>.htm</b>, <b>.html</b>)
Set the following permissions for Executable, Script, and Include file folders:
<b>Everyone</b>       (X)
<b>Administrators</b> (Full Control)
<b>System</b>         (Full Control)
Set the following permissions for Static content folders:
<b>Everyone</b>       (R)
<b>Administrators</b> (Full Control)
<b>System</b>         (Full Control)
Since the Inetpub\FTProot and the Inetpub\Mailroot folders usually require anonymous access for read and write, put these folders on a separate partition and set disk quotas for the Everyone group. This will alert you when the folder fills up from a denial of service attack.

To prevent your log files from being altered by intruders, set the following permissions on the log files in the %SystemRoot%\system32\LogFiles folder:

<b>Administrators</b> (Full Control)
<b>System</b>         (Full Control)
<b>Everyone</b>       (Read)