Magento security on IIS

Access to /app/etc/local.xml is not so desired since it contains your db login.
However IIS does ignore .htaccess, so you need to change the local web.config file.  To get Magento working safely you should have a minimum of:

<?xml version="1.0" encoding="UTF-8"?>  
<configuration>  
    <system.webServer>  
        <rewrite>  
            <rules>  
               <!-- <!–## rewrite API2 calls to api.php (by now it is REST only)–>   -->
               <rule name="Rewrite API2 calls to api.php" stopProcessing="true">  
                 <match url="^api/rest" ignoreCase="false" />  
                 <action type="Rewrite" url="api.php?type=rest" appendQueryString="true" />  
               </rule>
               <!-- <!–## HTTP_AUTHORIZATION variable removed—>  -->
               <rule name="TRACE and TRACK HTTP methods" stopProcessing="true">  
                 <match url=".*" ignoreCase="false" />  
                 <conditions>  
                   <!-- <!–## TRACE and TRACK HTTP methods disabled to prevent XSS attacks–>   -->
                   <add input="{REQUEST_METHOD}" pattern="^TRAC[EK]" ignoreCase="false" />  
                 </conditions>  
                 <action type="Redirect" redirectType="Temporary" url="{R:0}" />  
               </rule>

               <!-- <!–## rewrite everything else to index.php–>   -->
               <rule name="Rewrite everything to index.php" stopProcessing="true">  
                   <match url=".*" ignoreCase="false" />  
                   <conditions> 
                   <add input="{URL}" pattern="^/(media|skin|js)/" ignoreCase="false" negate="true" /> 
                   <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />  
                   <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />  
                   <!-- <!– Symbolic link filetype does not exists in Windows/IIS –>   -->
                 </conditions>  
                 <action type="Rewrite" url="index.php" />  
               </rule>
                <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions>
                        <add input="{URL}" pattern="/app/etc/*" />
                    </conditions>
                    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                </rule>  
              </rules>  
        </rewrite>     
    </system.webServer>  
</configuration>