This is great stuff from Marnie Hutcheson: Customize your ISA/IIS and trap all web requests using an IP address (probably some hacker/worm tool) in a dummy location. Much like a honeypot - but easier and cheaper. Quote -
In this article, I will present an easily implemented strategy that uses HTTP 1.1 host headers to divert port 80 attacks away from unsecured public Web sites into a dead end where they can't do damage.
Make sure to read the Hardening Your Web Server sidebar for further ideas.