Hi

In many cases, the user listed for this event will be "ANONYMOUS LOGON" from
"NT AUTHORITY" domain. This logon is used by processes that use the null
session logons (logons that do not require a user/password combination). Any
program or service that is using the System user account is in fact logging
in with null credentials.
If the operating system encounters a user without any credentials, the user
is regarded as having NULL credentials. When the system attempts to access a
secured network resource based on NULL credentials, this is referred to as a
NULL session. Access is only allowed if the remote machine allows NULL
session access. This is configurable through the registry. (See Knowledge
Base article 122702 for more information.)
One typical example is a computer that register itself with the Master
Browser for that network segment at startup. This registration will generate
several logon/logoffs from "ANONYMOUS USER". Since the registration is
renewed by default every 12 minutes, such events will occur at regular
intervals.

Maybe taht helps.

Walter

Please notice that the system's security log is not the IIS log.
Unless you can correlate activity recorded in the IIS logs with
the anonymous logon events in the security log, as you probably
cannot based on what you have said, then these event are not
related to the configuration of your IIS services.
You need to follow fundemental Windows Server security
guides and configure Windows. There are settings that can
be used to disallow anonymous access that you can find in
the security options section of group policy applied to the
machine. You probably should get the Windows Server
2003 Security Guide from the MS website.