You can do it right in IIS.
In the IIS 6.0 Administrator's guide, there's complete instructions.
Open D:\WINDOWS\Help\IIS.chm
and search for "IP addresses, controlling access to applications"
Securing Sites with IP Address Restrictions
You can configure your Web site to grant or deny specific computers,
groups of computers, or domains access to Web sites, directories, or files.
IP address restrictions apply only to IPv4 addresses.
Important : You must be a member of the Administrators group on the local computer to perform
the following procedure (or procedures), or you must have been delegated the appropriate authority.
To grant or deny access to a group of computers
1.. In IIS Manager, expand the local computer, right-click a Web site, directory, or file, and
click Properties.
2.. Click the Directory Security or File Security tab. In the IP address and domain name
restrictions section, click Edit.
3.. Click Granted access or Denied access. When you select Denied access, you deny access to
all computers and domains, except to those that you specifically grant access. When you select
Granted access, you grant access to all computers and domains, except to those that you specifically
deny access.
4.. Click Add.
5.. Click Group of computers.
6.. In the Network ID box, type the IP address of the host computer.
7.. In the Subnet mask box, type the subnet ID for the computer you want grant or deny access to.
8.. Click OK three times.