Neil - personally I wouldn't do that. I'd do one of the following:
Please read the KB before doing anything because I'm going mostly from
memory and a quick glance through the KB. All you need to do is find the
urlscan.ini file. Make a copy of the existing file before editing. Find
the section called DenyUrlSequences, and remove the characters you don't
want to block. If I remember right, it's some ordinary stuff you could find
in an e-mail subject line such as "$" and "&." You may have to do something
to implement this change, such as restarting IIS. I'd put a message in my
Inbox with one of the characters in the subject line and see what happens
before and after the edit - then you'll know it worked. The KB is long and
wordy, but if you follow it through you'll get a good understanding of how
the urlscan.ini file controls everything, and you'll be able to make it work
the way you need it to.
Or, remove Urlscan from IIS and use the ISA version. I'm not 100% sure this
will work, so if anyone else knows please speak up. I quit using the IIS
version in favor of ISA when I installed ISA FP1. I thought it was a better
option than the IIS version at that time, but I no longer remember what made
me think so.
Or, upgrade to SBS 2003, which doesn't need Urlscan for IIS security.
