here are some recommendations to implement IIS and be secure:
1) Use the Best Practice Analyzer tool
2) The app pool is the execution space, so, each site should have its own.
3) Enable Remote IIS administration: http://www.iis.net/learn/manage/remote-administration/remote-administration-for-iis-manager
4) Test your web site, typically if you are exposed to internet: https://asafaweb.com/