Quote:
also claims to have to investigate security issues with the OWA and URLScan tool

Jesus. What an idiot. It's blatantly obvious that it's just trying to protect people from using ".." to go up a directory level via HTTP. All he has to do is match m#(/\)\.\.+(/\)# (that is, either slash followed by two or more periods immediately followed by another slash) and it will solve your problem and leave the system as secure as it was before.

URLScan seems like a reasonable tool with stupid defaults. I hate it when admins install tools without understanding what it is they do, especially when they're security-related.
_________________________
Bitt Faulk