IIS/ASP Permissions

I have written an ASP based blog/cms application but I need a bit of a hand with the security permissions between IIS and the ASP scripts themselves. The application allows administrators (application administrators NOT system administrators) to add, edit and delete physical pages from within the application itself using scripting.filesystemobject. Unfortunately this means that read,write and modify permissions must be set on the website that it is running on to allow these files to be created or modified which is obviously not a very secure way of doing things as I recently found out when someone uploaded a new index page for me :/

So anyway, I've two questions now:

1) I'm currently going through my IIS log files to try and see how or what they did but I've only got notepad, anyone got any tips on what I should be looking for?

2) The scripts that require permission to add, edit and delete files all reside in a sub-folder within the application. Is there anyway that I can grant the required permissions to the specific files or the folder they reside in?

Do you have a login script?
If not you should have. If you have change the password and make it more secure.
If the password is in an Access database within the webroot then make sure you don't have read permissions on the folder because if you do then anyone can download it.

Cheers for the reply degsy, I do have a log in script which uses a MySQL DB. after going through the logs though it looks like the scrotes used an exploit in either the Frontpage extensions or webdav to put their files in my website root rather than their being a serious problem with my IIS permission settings.

You can set read/write permissions on a specific subfolder, in fact that's the usual way to restrict users uploads to a specified location only. I generally use windows itself to set file permissions, not IIS.