I am unsure how IIS would react to the settings.php file being outside of the virtual directory or how to configure it.  Right now, unless you set the folder to allow for this, you cannot browse files below the root unless specifically allowed.

From: development-bounces@drupal.org on behalf of Darrel O'Pry
Sent: Tue 1/10/2006 8:41 AM
To: development@drupal.org
Subject: Re: [development] let's cleanup /misc

On Tue, 2006-01-10 at 14:49 +0100, Bčr Kessels wrote:
> Op dinsdag 10 januari 2006 14:20, schreef Adrian Rossouw:
> > The OSX way is far far simpler, and much much cleaner.
>
> But much unsafer (not speaking of OSX vs Unix safety).
> We discussed before, that PHP files should really live in a non-web-acessible
> place.
  -- I kind of have to disagree with this...  php files containing
sensitive data should not be in a web accessible
directory(settings.php)... If you're worried about people uploading
randscript.php or rewriting your .php files I think you have other
things you need to address like permissions.

> The biggest downside of that, indeed, is that the web-accessible files can no
> longer live in the module directories.
>
> Bčr