There's been half a dozen path traversing exploits against MS IIS, before they finally caved in and took reasonably complete measures in IIS 6 (IIRC).