Let me start off by saying that im not sure if this already exists, but i have never heard of it and neither has anyone i asked. So i'm SURE you all know about the IIS Authentication Manager Vuln (aexp4b.htr) and it can let people possibly bruteforce and change local account info on a Windows box. Well, while messing with a IIS machine this weekend I noticed that it also gives error messages that basically let you verify whether or not a user account exists