To configure URLScan to determine which requests should be rejected, you use URLScan.ini. This is located in the following folder:
%windir%\system32\inetsrv\urlscan
For more information on how to modify the various sections in URLScan.ini, refer to Microsoft Knowledge Base article 815155 "How To: Configure URLScan to Protect ASP.NET Web Applications."