If your website contains an administrative web user interface accessible via the Internet, then it is advisable to use as much security as possible.  It is particularly advisable to restrict access to a single IP address or a range of IP addresses if only one or several machines are going to require access to the administrative functions.

Including IP address restrictions is possible through the IIS management console.  IP address restrictions may be applied to entire websites, as well as individual folders and even files.  It is also possible to put in IP address checks at the application level by making use of the REMOTE_ADDR server variable.