If you use URLScan, you might run into the following issues:
URLScan blocks the DEBUG verb which breaks application debugging. If you need to support debugging, add the DEBUG verb to the [ AllowVerbs ] section in URLScan.ini.
You need to recycle IIS for changes to take effect. URLScan is an ISAPI filter that runs inside the IIS process (Inetinfo.exe) and URLScan's options are loaded from URLScan.ini when IIS starts up. You can run the IISReset command from a command prompt to recycle IIS.
URLScan blocks requests that contain potentially harmful characters, for example, characters that have been used to exploit vulnerabilities in the past such as "." used for directory traversal. It is not recommended that project paths contain the "." character. If you must allow this, you need to set AllowDotInPath=1 in URLScan.ini.
If your Web application directories include dots in the path , for example, a directory containing the name "Asp.Net", then URLScan will reject the request and a "404 not found" message will be returned to the client.
Other characters to avoid in project names because they will be rejected by URLScan include comma (,) and the pound sign (#).