A common error that many IIS administrators encounter is the "403 - Forbidden" error. This cryptic message erroneously leads many to believe that it's NTFS permissions related but it's not - errors related to authentication and access control are in the 401 status group.
The first step in tracking down the source of these 403 errors is to find the relevant IIS log file entries for these requests. You need to know the sub-status code associated with the 403. This is much the same process I described in Troubleshoot a 404. Once you have the sub-status code, you can match it to the status and sub-status code reference in the following Microsoft knowledge base articles. These references describe the common HTTP status codes and their likely causes.
IIS 5 & 6: