I recently set up PHP 4.3.3 on a Windows Server 2003, IIS 6.0 environment. There were a few tricky quirks relative to security.
After setting up the proper web service extensions and application extensions for the web site, I received an access denied error. It turns out that not only does the anonymous web user (IUSR_) need access to the webroot and PHP dll’s, but the “NETWORK SERVICE” account also needs access to the PHP dll’s. Of course, in my paranoia, I had restricted the Users and EVERYONE groups from being able to access those directories. I feel much better knowing I’ve been able to adequately restrict access to those files, however.