I haven't ever done it, but this is what a co-worker said would probably be requiredl.
You need to have IIS Manager access.
You have to turn off basic authentication for the ss directory where the backoffice cgi execute from.
You may also need to give the anonymous user (IUSR ?) full control to the ss directory.
In my test store that does not have basic authentication (webserver login) enabled, the ss directory Security settings are IUSER has Modify, Read & execute, List folder contents, Read and Write all checked. The Administrator has Full Control checked, the IIS_Users has just Read checked. <Disclaimer:> I only know enough about Windows server management to get myself into deep trouble, so make sure you have backups before attempting this.</Disclaimer>