Here's a simple way to develop your Web server so that your not hit against scripting attacks.
When you install Win2kK, install it in a different directory than WinNT. Also, don't call your default pages default.asp or .html or index.asp or .html. Scripts just replace those files. So if your IIS setup is not looking for those default files, then your safe.