All,
Not to fan the fire of the almost religious belief that the IIS discussion has taken on, I think some points have been overlooked: 1) both applications can be hardened against *known* vulnerabilities; if you don't believe this talk to someone that's been a sys admin or CompSec person for over 10 years (sorry, experience counts) 2) IIS *does* have more exploits that have been discovered; this is due to several reasons a) IIS has more *built-in* functionality (this speaks to the ability to enable functionality without secondary software additions/compiles); any time you increase functionality you increase your vulnerability b) For the past several years most script-kiddies and their ilk have focused their attentions on hacking IIS boxes (do the research yourself); the reason goes back to the previous note about functionality & the fact that it takes a higher skill level to take advantage of a *nix exploit (this is due to the full-kernel design, etc....not necessarily a superior product). 3) Both IIS and Apache have the respective pros & cons; if you plan on being in this business get used to *both* of them being around for a while but don't plan on what *you* view as being the best product to "win the race".....after all, Beta is superior to VHS and Amiga was a great video box.....
