dusky - 8:45 pm on May 10, 2010 (gmt 0)
bwnbwn, I feel your pain, but I can't be of much help on MS or IIS stuff (I use them rarely for local testing only), however, the problem is not originating on your site or created deliberatly, it just that it can be abused and G* or other SEs aren't going to penalize you, so take your time and don't panic, trust me 50%+ of Internet sites have this problem and most are OK with it (most don't even know they have it anyway).
Starting a thread on the IIS forum would a best bet, and for reference you can always point them to my discussion so they'll have the general idea. I'd test on a local Intranet webserver to make sure the fixes are all good and run a link checker as well.
If you have URLs that are constructed as yoursite.com/?.... i.e with the ? after the domain.tld and slash or after the end of the URL blabla.html?...be careful as the fix will prevent those URLs and block or redirect them to a 404. Can't remember where I've seen some commercial solutions using this practice.