My company has decided to place a web server in-house. It is currently being housed at the local ISP, which makes administration a pain.

What is the best way to setup and lockdown a web server?

Here's some more info...the site itself is a client access portal running on SSL. Security is a major issue. The server is to be Win2K and IIS 5.0. File structure and NTFS permissions are taken care of. How do I restrict port access on the server? Should we place it behind a firewall? Should we place it behind a router? Should it be directly connected to the internet instead? If so, what are the typical precautions involved?

As you can tell I have never setup an internet web server. I have experience with Win2K and IIS 5.0, but only WAN intranets.

Any advice or opinions are welcome.