All the recommendations on moving the web root to another drive are valid and correct. In fact, as Stefan Osterlitz points out, changing the default names and locations for as much of the system hierarchy as possible will enhance security.
In particular, if the utmost security is necessary, I recommend (among other things): Create a 5MB DOS partition at the front of your disk as the C: drive. Install Windows/NT/2k to the next partition, which will become D: (it will still write the boot sector to C:). Call the WinNT/2k root directory on D: anything EXCEPT winnt. Convert C: to NTFS after installing NT/2K, and allow only ADMINISTRATOR (the user, not group) and SYSTEM to access. Create an E: drive for your Inetpub stuff. Make the Inetpub location a subdirectory of another directory (say webdata or some such) on E:, and name it anything but Inetpub. If you need it, don't call scripts SCRIPTS. Likewise for CGIBIN and the like. If you don't needs these directories, get rid of them. Make sure that you change the properties for each of your websites so that PARENT PATHS are *NOT* enabled (you'll be surprised what breaks after doing this). Use CALCS to change the permissions of all the .EXE, .COM, .DLL, .CMD, .BAT, and anything else that's possibly executable so that only ADMINISTRATOR (the user) can write or modify them. Use CALCS to change the permissions on things useful to an intruder so that only ADMINISTRATOR (the user) can read or execute them, such as CMD.EXE, EDLIN.EXE, FINGER.EXE, FTP.EXE, PING.EXE, TFTP.EXE, ROUTE.EXE, et cetera. Change the ADMINISTRATOR username to something else that resembles the rest of your standard user names, and set a very strong password. Create a dummy ADMINISTRATOR user with no privs, with a very strong password and audit logons (check the logs!). However, and unfortunately, the above will break some web applications and will make your web developer's lives a living hell. In regards to known vulnerabilities, if you are up-to-date on hotfixes, properly ACL your files and directories (and registry), have strong passwords, audit everything and check your logs, I don't believe that using the default paths is a SIGNIFICANT risk for most applications. On the other hand, if this is for an on-line financial application or something likewise sensitive, pull out all the stops.
