What has better file-level security -- Apache or IIS?
If you're weighing the choice between Apache and IIS, I can assume you've decided to launch a Web server on the Windows platform. In that case, file security seems like an odd way to differentiate the two services. Generally, people choose Apache or IIS based on the applications they'll be running, their requirement to have access to the source code (Apache) or their need to integrate tightly with the Windows platform (IIS).
For either Apache or IIS, your primary method for securing files should be the operating system: NTFS file security. That'll function the same for either Web server. From there, both Web servers can be configured with filters to restrict paths, files and file types that can be retrieved. For IIS, check out the IIS Lockdown Tool freely available from Microsoft. In a nutshell, my answer is that both platforms provide comparable levels of file security when properly configured and maintained.