Best practices for hardening/locking down Windows Server 2008 R2 for use as web server?
If this server's sole purpose is to run IIS, I'd recommend installing Core and adding the IIS role (and the Remote Desktop Services role, although you may find that Remote IIS Manager suits your needs); this process is described here.
This will significantly reduce the attack footprint compared with a Standard installation of Windows 2008 R2 (and may improve performance or at least free up some resources with the reduced number of services/roles/features enabled/running).
If the box is built and you can't redo it, I'd suggest you run the Microsoft Baseline Security Analyzer after your Web application has been installed, tested to be working properly, etc. to find any potential vulnerabilities that may exist.
Following up with a general purpose security scanner such as Nessus or GFI LanGuard (and performing regular scans) would be a good idea as well.
A note on making changes... not to patronize, but I'd change one thing at a time and retest your Web site/application to make sure it's all working.
Last but not least, look at the Web application itself: you can use third-party Web vulnerability scanners to find obvious holes, but make sure that your developers or Web designers are following best practices for vigorous input validation for all your GET and POST actions on your site -- your Web application/site could be dishing up malware to unsuspecting visitors at the application-level without even compromising the OS or even IIS.