Again, this is basic advice, but it is essential to ensure
that the directory browsing setting within IIS is set to off. If directory
browsing is on, it means that a user will automatically see the contents of a
folder that does not contain a default document (i.e. default.htm or
default.asp on most IIS servers).
This is especially hazardous if you have confidential
information on your website or the website earns its revenue from selling
content that is downloaded from the website itself, such as documents or
software download files.
Needless to say, you should also ensure that IIS is also
configured to enable default documents. Switching the directory browsing off
and enabling default documents should be done at the website level, so that any
new sub-folders created on the website inherit the settings.