Yep - the installation instructions (although somewhat Unix biased) tell you to make sure that the web server user cannot write to the Moodle program directory.
Just change it's permission to 'Read and execute'. What you don't want is write/modify etc.
Sorry, I don't speak Windows but that's the general idea.