Indeed, the decision on whether or not to put IIS and SQL on the same server comes down to a number of factors, the biggest probably being cost (dollars) and the criticality of the application/data.

No doubt industry best practices call for physical separation. At my company we have a firewall in between the web server and backend database and only allow ODBC through. If you assume that your IIS server will get compromised at some point (a safe assumption!), it then becomes a question of how important the data is sitting in the database. If you don't care much about the data, by all means put it on the same server. But if the data has value, you may consider firewalling the connectivity.

- Uncle D