Setting Metabase File Permissions

[Guest learner]

Permissions and auditing on the metabase file

(%systemroot%system32\inetsrv\metbase.xml or metabase.bin) on all our web

servers must be set so that the local IUSR_ and IWAM_ accounts are

explicitly denied ALL permissions and all failure events are captured to the

Security log. I modify these settings accordingly on several boxes but when

I run an audit (within 10 minutes of modification) to verify, all permission

and audit settings have reverted back to previous settings. According to our

domain admins, there is no GPO doing this. Any ideas?