So I just ran into a stupid problem in which users could not download files that had a percent sign in it. This is an IIS6/Win2k3 box. It wound up being URLScan. I had to un-set two things in urlscan.ini:
1) Set VerifyNormalization to 0 (disabled)
2) Remove the percent sign from the "DenyUrlSequences" section
Do an iisreset, and problem solved. But the big question is: How much of a security risk is this?
Percent signs are used in URL encoding and could be used to express nasty chars such as Quote Marks. This rejection may be due to NormalizeUrlBeforeScan being on or off, I would try flipping this setting.
UrlScan isn't a very good WAF and its likely that you will run into problems with other false positives/false negatives. Mod_Security is more mature and can be used with IIS however it involves running a reverse proxy which to be honest is a bit of mess but IMHO its a better mess than UrlScan.
If you have some spare gold bricks you should pick up Cisco ACE, it is a good WAF.
Be careful with processing of unfiltered URI character entities as URI strings can be used as vehicles for code injection.
