Best Practices for Accessing an Internet IIS Server?

I am setting up an ASP.NET MVC web facing application on Windows 2008. It uses SQL Server 2008 for its database. I am looking for the best methods to protect it.

I found this article but is a little out of date. How valuable is this advice still?

Some background is a personal site behind my home NAT / firewall; and I will only send ports 80 and 443. The IIS server itself is a Windows 2008 host running HyperV (I only have one physical box to spare).

One useful thing mentioned in this article (which has crossed my mind before) is that the IIS box does not have to be a member of the domain, so an attacker cannot easily get out of the box. I will remove it from the domain in a moment :)

What other tips should I (and someone deploying to a larger environment) keep in mind?

I know this is not a programming-related question (there is no source code in it!), But I guess most programmers have to go to work when it comes to deployment guidelines.