IIS 4.0 seems to have a bug in it that hoses the password setting for
the IUSR_xxx user (you've noticed I'm sure that you now have file-level
granularity for setting access permissions in IIS).  The only fix we're
aware of is documented in the LISTSERV support FAQ, specifically

   http://www.lsoft.com/lsv-faq.html#Sect22

which has been recently rewritten to take this problem into account.  Thanks
to Mark Wickens of EveryWare Development Inc. who originally had the problem
and shared the answer he found with us.

Nathan