Yep - the installation instructions (although somewhat Unix biased) tell you to make sure that the web server user cannot write to the Moodle program directory.
Security and privacy
Moodle hacked, file permissions in IIS
So you think completely removing the first entry (IUSR) will bring it in line with recommendations?
Thanks for the replies, much appriciated.