REstricting IIS from serving static content

I'm trying to determine the best way to restrict access to static files in
IIS6.0. From my understanding the recommended solution is to remove the
extension from the MIME types in the IIS6.0 console. However testing has
shown that you also need to remove these from HKEY_CLASSES_ROOT as well.

To be as secure as possible I want to limit ALL static content so this would
mean removing all extensions from HKEY_CLASSES_ROOT, and I'm not sure what
determental effect this would have on the server.

The other solution is using the [AllowExtensions] functionality of URLScan,
but Microsoft apparently does not recommend installing URLSCan on IIS6.0 as a
means of increasing security.