Do you prefer to run their IIS webservers inside a DMZ that is part of the greater organisation's AD or do you prefer to sacrifice ease of management and user control over (possibly perceived) security?
We currently run our IIS boxes outside of the domain and this enables us to keep a one-way rule with our firewall (no traffic from DMZ to LAN except 1 SQL port). However, this means I now have to use non-AD authentication and manually synchronize passwords across boxes.
Which is more secure?
found an answer here Active Directory in a DMZ
you can get the best of both worlds. AD LDS can be implemented and federated with your domain see this article for an overview
We have off-the-shelf product that requires us to run the software on an domained IIS server. What's more, at least one of the OTS packages we have is designed to be internet-facing and required to be domained. Some might call this a poorly designed application, but we have to use it so the question is a tad moot.
We run our IIS servers in a domain -- their own domain. When app pool identity and services run in a domain account, it is much easier to control access to shared files, data and other resources on different machines. Their are security, scalability, and ease of use benefits to this model. I can't think of any risk to putting the IIS server in a domain, that is difficult to manage.