forgive me for not remembering the web address of the blog, but they posted a web.config file to place in the cfide folder. The contents were something similar to this:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<!-- block all file extensions except cfm,js,css,html, gif png and xml -->
<fileExtensions allowUnlisted="false" applyToWebDAV="true">
<add fileExtension=".cfm" allowed="true" />
<add fileExtension=".js" allowed="true" />
<add fileExtension=".css" allowed="true" />
<add fileExtension=".html" allowed="true" />
<add fileExtension=".gif" allowed="true" />
<add fileExtension=".png" allowed="true" />
<add fileExtension=".xml" allowed="true" />
</fileExtensions>
<!-- hide configuration dir -->
<hiddenSegments applyToWebDAV="true">
<add segment="configuration" />
</hiddenSegments>
<!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->
<requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />
<!-- only allow GET,POST verbs -->
<verbs allowUnlisted="false" applyToWebDAV="true">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
I believe the reasonining is that Coldfusion itself doesnt go through IIS when accessing its own resources within those folders, and only web browsers call through IIS, so blocking with the above web.config provides a patch.