PPS. Almost forgot, sittingduck, cmd.exe should have its ACL set to deny full control from SYSTEM, IUSR_, and IWAM. This will also prevent exploits that launch a system shell from IIS (or anywhere else for that matter)
That makes perfect sence. What about just replacing a file on their harddrive with another one. Such as spools.exe with a trojan? Or editing a batch file already on the computer?