I don't have a ton of experience, but I highly suggest you try it on a test server first (in a perfect world, it should be exactly like the production server). When they say Lockdown, they mean it.

Especially if you use 3rd party components, you might have some initial trouble.

We use it every once in a while, and it definately breaks things. I highly recommend using it and then having your programmers fix what is broken. In the end, they may have it changed back to the original configuration, but at least they will be aware that what they are doing is considered to be a security risk. Be prepared for a lot of work after the first time you use it.

Thanks Guys.

Well on te expert advice here I took the plunge and ran it :). Also installed urlscan. I had to re-enable some permissions after but not much else yet.

The config looks good but then the deafult 2K3 install is meant to be hardened anyway - it doesnt actually tell me what was already done.

Are you running Web Services? I've had IIS Lockdown bork my services in the past...

Sidenote: MS Baseline Security Analyzer is also essential in my book. It picks up some stuff I forget to do when re-imaging my servers.

-->MS Baseline Security Analyzer

I've also had trouble with this turning the screws down too tight on xml serialization.