Do use a dedicated machine as a Web server.
Do physically protect the Web server machine in a secure machine room.
Do configure a separate anonymous user account for each application, if you host multiple Web applications,
Do not install the IIS server on a domain controller.
Do not connect an IIS Server to the Internet until it is fully hardened .
Do not allow anyone to locally log on to the machine except for the administrator.