Does this mean that someone has tried to exploit some IIS vulnerability ? I found this in the bad requests log.

/scripts/..%c0%af../winnt/system32/cmd.exe

Means they tried - thats why we don't run IIS :)