Currently IIS users get a web.config in the root of Drupal that tries to make Drupal behave well on IIS, but the files directory doesn't get the same treatment. It would be great for Drupal to create a Web.config that attempts to disable execution of files in the public files directory.
According to the docs it's fine to have multiple files:
Multiple configuration files, all named Web.config, can appear in multiple directories on an ASP.NET Web application server. Each Web.config file applies configuration settings to its own directory and all child directories below it.
I asked for help on what this should be in two places - http://groups.drupal.org/node/226059 and http://webmasters.stackexchange.com/questions/28733/prevent-iis-from-exe... and both seem to have created the same resulting file.