The IIS team released a security bulletin for IIS 5.1 yesterday which you should know about, if you use IIS 5.1 on XP. The bulletin is rated important because the underlying bug is an unchecked buffer overrun that can potentially be exploited to allow remote code execution if an attacker sent specially crafted URL requests to a Web page hosted by IIS 5.1.
Important note: this security bulletin does not apply to IIS 5.0 on Windows 2000 or IIS 6.0 and Windows 2003 nor IIS 7.0 on Windows Vista or Longhorn Server (Beta). The security vulnerability is specific to IIS 5.1 on Windows XP. IIS 5.1 is not installed by default on Windows XP and threats against your machine can also be completely mitigated by leaving on the Internet connection firewall (on by default with SP2) or using a third party firewall and blocking port 80 (or other ports you've opened with IIS).
The IIS product team is completely committed to Web security. Tremendous efforts have been made in our product development methodologies and processes to assure that customers of IIS are running the safest Web server possible. We've made great progress over the past several years, reducing the severity and frequency of security patches. While we strive for perfection, we are still human and occasionally bugs slip through. Many thanks for your patience and support of IIS.
Related note: If you use ASP.NET with any version of IIS, you should also check out this bulletin released yesterday.