Last year, I battled with this one myself for a good 6 months. The moodle forums would ocassionaly come up with a user with a similar problem however the issue never really got resolved.
Then, finally, one day (or should I say day & night) I got annoyed and sat down with the intention of not getting up until I fixed it.
Your problem description is absolutly spot on. After much digging, i came across a flag for <httpErrors> which resolves the issue without enabling detailed error messages for all users.
Basically when there is an existingResponse from the FastCGI pipleline (it generates the 404 response code when an error occurs within the php code), the default setting for ISS 7 is "Auto" which passes the details through to the custom error page handling modules. There is an option to configure this to PassTrough to the calling page which can then handle the error internally.
Unfortunately, after I found this information hidden within the Microsoft documentation for IIS, a quick google using the PassThrough and existingResponse keywords returned the following site. Even more unfortunate (for us) is that you will notice the screenshots are of Moodle however no-where on the page is the word "Moodle" mentioned, therefore all my previous searches never had a chance finding this blog.
I've been out of the Moodle game for a few months because I changed jobs (just popped in to see how it's all going today by luck) therefore I wont go into detail on how to apply the setting to your site, I'll simply point you towards the blog which I referred to above:
Let me know how it all pans out for you,