For either Apache or IIS, your primary method for securing files should be the operating system: NTFS file security. That'll function the same for either Web server. From there, both Web servers can be configured with filters to restrict paths, files and file types that can be retrieved. For IIS, check out the IIS Lockdown Tool freely available from Microsoft. In a nutshell, my answer is that both platforms provide comparable levels of file security when properly configured and maintained.
This was first published in March 2003