IIS7 represents the unification of ASP.NET and IIS. Let me clarify what that means. Right now, ASP.NET is implemented as an ISAPI extension for IIS. That will still be true in ASP.NET 2.0. In IIS7, that changes. Instead, the concepts of HTTP pipelines, handlers, modules, XML config files, etc... are all natively built into the platform.
Along with that, the IIS7 team has completely refactored the whole platform, so now practically every feature in the pipeline has been broken out into a separate module. From a security standpoint, this is a whole new realm for IIS. Because the pipeline is componentized (the WHOLE pipeline), you can reduce your surface area by removing any module you're not using from the pipeline. So if you don't have Passport authentication, don't enable the module. IMO, that's really freakin cool.
IIS7 looks likely to only be available for Longhorn Server and Client systems, it seems, with XP/2003/2000 and so forth being left out in the cold.