OK... Here is the update for you people. I wiped out the system yesterday, and did a fresh install of Windows 2000 Server.

Here is a check list of what I did security wise:

Installed only necessary components for the web server.
Installed service pack 2, and security roll up package, along with critical updates after that.
Deleted the IIS sample files
Unmapped the extensions that don't get used by IIS, .htw, .htr, etc...
Deleted the virtual directories that get automatically created with IIS.
Disabled NETBIOS over TCP/IP
Administrative shares and anonymous access restricted
Disabled anonymous access to the registry by editing a key in the registry.
Installed Norton AntiVirus Enterprise
Made sure any FTPs did not allow anonymous access.
Renamed Admin login
Used different passwords from the last box, and all passwords contain letters and numbers

And that pretty much sums it up... Tonight I am going to install AATools, and get a better look at what ports are being opened by what processes. I am going to look into those services in more detail and see if I need them on.

Is there anything else that you guys would suggest doing, or anything I may have forgotten from my check list? Thanks.