I told a friend once that I did not like the idea of running PHP on IIS he thought I was old school. In reality, I think that Microsoft has no business running PHP, we have enough problems with their ASP.net complex paradigm already.
A couple days ago, we learned that there is a serious security vulnerability in ASP.net where the attacker can read data from files including web.config. So God Knows what they will be able to do to the PHP files, which as we know are not encrypted by default.
"Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time."
Directly taken from Microsoft.com (9/24/2010)
Developers please update your applications by following their workaround
( workaround link in the middle of the page):
Here is Microsoft FIX