I am running a Windows 2008 server with IIS7. I need to use SSL 3.0 for PCI compliance but whenever I read up on using it, all the articles explain to disable SSL 2.0. If I do this, will IIS automatically use SSL 3.0 from that point on?
In the registry here [HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols] it only has a SSL 2.0 folder with a Client folder in it, is that correct? Shouldn't there be a SSL 3.0 folder?
Yes, disabling SSL 2.0 will ensure that IIS only uses SSL 3.0 or TLS 1.0. You can also disable individual cipher alogithms to ensure that SSL3/TLS only use the "best" alogrithms available well, although this is not really a practical issue if you select "require 128-bit encryption" from the GUI in the IIS SSL configuration. All of the >128-bit algorithms in SSL3 and TLS are "strong", have no practical breaks, and unless you have very specific regulatory requirements can be used safely.
See http://support.microsoft.com/kb/187498 for details.