The first major points about placing the wwwroot in a non-standard location is for the Directory Traversal exploit as you've brought up already. Many exploits will either rely on, or look for default settings like placing your websites in the c:\inetpub\wwwroot directory.
The way that I generally set it up is to move the www and ftp roots to another drive, rename the wwwroot part to something else. I also acl the original inetpub directory so that only admin has access, remove the default virtual directories and move the log files off the C: drive. I've got two reasons for moving the logs: get them out of the standard directory and make sure they are on another drive so the log can't fill up the drive and bring the server down. Phil > OK Everyone, I need some help! > > I'm trying to articulate the reasons why it's better to place > the root of a > website on a separate partition, or at least in a separate > directory from > the application which uses IIS as a front-end...
