Is it possible to have IIS (6 or 7.5) return a 404 Not Found (instead of 403 Forbidden) when a disallowed directory listing is requested? A security scanning service I use thinks the 403 is revealing something "potentially sensitive", when in fact it's just not a valid URL. My workaround is to drop a default.aspx into each directory that returns an empty 404 page, but there has to be a better way...