We have a site being setup on IIS 6 (or 7 if im really lucky) and was told not to use sessions too much as the server had limited application memory (32bit Server 2Gig of ram for IIS). My understanding (based on unix/linux apache hosting and lighttpd) was that session data etc was stored in actual files.
Is it memory or filestorage?
Actually, there are a number ways to store session information (assuming you're using ASP.NET). In memory is one option which you do need to be careful of. I believe you can change it via your app's web.config. You can use other things like cookies or SQL Server to store state info. Here's a MSDN article that talks about ASP.NET session state. Here's another article that discusses choosing the storage location.