For PCI compliance on an IIS5 or IIS6 server, SSL2 should be disabled and 40-bit should be disabled. This Microsoft KB includes a .reg script to disable everything except for 3DES TLS:
http://support.microsoft.com/kb/245030/en-us
However, TLS is not enabled by default in IE6 which makes this script problematic. IE6 clients without TLS enabled will present a “page cannot be displayed” error to the user.
A better approach than the one recommended by Microsoft is to also enable 128-bit RC4 SSL v3.