Should I be running the URLScan or IIS Lockdown tools on my Exchange 2000 Server machines?
Microsoft designed these two tools (available from http://www.microsoft.com/downloads/release.asp?release ID=32571 and http://www.microsoft.com/downloads/release.asp?release ID=32362, respectively) to harden computers running Microsoft Internet Information Services (IIS) 5.0 and Internet Information Server (IIS) against a wide variety of malicious attacks. If you install these tools by themselves, most Exchange and Outlook Web Access (OWA) functionality will work—but some operations will fail. For example, IIS Lockdown's default settings filter out the ACL and Notify WebDAV verbs that the Exchange Instant Messaging service uses. The Microsoft article "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q309677) describes the other problems to watch out for, including specific adjustments you need to make to let various Exchange 2000 services work properly.