Setting Metabase File Permissions

Permissions and auditing on the metabase file
(%systemroot%system32\inetsrv\metbase.xml or metabase.bin) on all our web
servers must be set so that the local IUSR_ and IWAM_ accounts are
explicitly denied ALL permissions and all failure events are captured to the
Security log. I modify these settings accordingly on several boxes but when
I run an audit (within 10 minutes of modification) to verify, all permission
and audit settings have reverted back to previous settings. According to our
domain admins, there is no GPO doing this. Any ideas?