How to disable multiple form submit (POST) in IIS

One option for this would be rate-limiting using something like http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions which can be set to block the offending IP for a set amount of time.

You'd want to baseline the typical requests/second/IP before putting something like this into production, of course, but this should prevent a single user from being able to do something like that again.

If the issue is simply avoiding impact due to the number of concurrent requests, there is an add-on for IIS 7, Dynamic IP Restrictions. (This capability is now built-in to IIS8). It's possible to configure this for log-only mode to determine what if any impact there would be before enabling the capability.

http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions

• Seamless integration into IIS 7.0 Manager.
• Dynamically blocking of requests from IP address based on either of the following criteria:
  • The number of concurrent requests.
  • The number of requests over a period of time.
• Support for list of IPs that are allowed to bypass Dynamic IP Restriction filtering.
• Blocking of requests can be configurable at the Web Site or Web Server level.
• Configurable deny actions allows IT Administrators to specify what response would be returned to the client. The module supports return status codes 403, 404 or closing the connection.
• Support for IPv6 addresses.
• Support for web servers behind a proxy or firewall that may modify the client IP address.

Multiple form submits should be addressed at the application level. It's trivially easy to implement with master pages. The following jquery in the master page does the trick for all child content pages:

$("form").submit(function () {
    $(":submit", this).attr("disabled", "disabled");
});  

Another good practice that may be worth adopting: Post/Redirect/Get

http://en.wikipedia.org/wiki/Post/Redirect/Get