phranque - 9:15 am on Nov 26, 2012 (gmt 0)
this is the reference i was looking for.
2.4. When to Encode or Decode
When a URI is dereferenced, the components and subcomponents significant to the scheme-specific dereferencing process (if any) must be parsed and separated before the percent-encoded octets within those components can be safely decoded, as otherwise the data may be mistaken for component delimiters. The only exception is for percent-encoded octets corresponding to characters in the unreserved set, which can be decoded at any time.
while i explained why part of the url was decoded, i didn't get around to answering your question.
i'm pretty sure you can only solve this with a redirect.
this is discussed in an apache context in this WebmasterWorld thread - Question about %3F and %3D embedded in inbound links - Apache Web Server forum:
perhaps there is another place in the IIS request processing pipeline where you can fix this.
however if index.php is your default directory index document you should be 301 redirecting that request anyway to:
what happens when you request the following?