Anonymous Web Site Access does't work on a 
newly promoted Domain Controller
If you have an anonymous 
user account that is shared across your domain and is used for anonymous access 
to web sites, it may not work correctly after you promote a web server to a 
ddomain controller. The anonymous account user appears in the "IIS 
Directory Security" tab if you click "Edit..." under the "Anonymous access and 
authentication control" heading. 
So, if you have just promoted a web server to domain controller, and you still have web sites running on the domain controller (which is not recommended in general but may be necessary), you may find that it prompts you for a username and password when you try to access any of the sites running on this machine, even thjose sites configured for anonymous access. If this happens, you may have to set the "Domain Controller Security Policy"  under the "Administrative Tools" menu to allow the "Log On Locally" permission to the DOMAIN\IUSER_AllMachines  account or whatever you call your domain-wide anonymous user account. By default, the new Domain Controller will have the IUSR_machinename 
account set to allow Log on Locally, but this will not work if that is not the 
account you use for anonymous access. Once you add your user to this permission 
group, WAIT 5 MINUTES and try again. The security policy updates every 5 
minues.
On a related note, If you have any components registered in COM+, 
these components may fail on your new domain controller. This is because the 
user identity for these objects may be incorrect. You will need to set the 
correct user identity on these com objects as well. To do so, go to  
Component Services undert the Administrative Tools menu, locate teh affected 
component, click properties, then under the "identity" tab, choose the correct user for this component to run with.