Don't blame IIS. It is a fully capable webserver when administered corectly. Apache is more powerfull (my experience). The reason IIS gets a bad rap is that it runs on windows (I know the irony of that statement). The trick to using IIS is to have a solid firewall in front of it. This firewall will proxy all requests and fillter out all malformed urls and known attacks. If you don't want to do this, then apache is a better choice. In the end, both can handle the same load, if configured properly. Also keep in mind, apache can run on windows, so you are not stuck to a certain OS when chosing it.