Setting Anonymous "Write and Execute" Permission to a folder

Dear IIS Users:

Considering that I have an application accessible by anyone on the internet
and the application's directory has the same permissions mentioned in the
title of this message, would someone be able to upload a malicious file and
harm my computer even though there is no ftp service enabled to upload to
this folder?

I assume that the only avenue for attack in this scenario would be by using
buffer overlow techniques on my exe. True?

What if I were to create a max size buffer for both get and post operations
and I strip everything keeping only alpha-numeric and special url characters?
Would I still be vulnerable?

Please advise.

Jeff