I came across an article which covers some details of how ASP.NET web sites hosted by Microsoft are configured:
Key things are:
- Set the Compilation Switch Appropriately
- Use Medium Trust in ASP.NET 2.0
- Restrict Download of Specified File Types
- Be Careful When Adding Assembly References
- Remove Manually Set MaxConnection Values
- Beware of Unhandled Exceptions
- Ensure Proper Proxy Server Configuration
- Do Not Display Custom Errors to Everyone
- Know When to Enable Tracing
- Disable Session State Web Farms
Read full article for detailed explanations.