Iis – Which file extensions are always going to be OK with IIS

Yes there is a list of extensions to block called Request Filtering, you can run: appcmd list config -section:system.webServer/security/requestFiltering you will see something like: ... ...

in my Windows 7 machine the list includes:
.asa,.asax,.ascx,.master,.skin,.browser,.sitemap, .config,.cs,
.csproj,.vb,.vbproj,.webinfo,.licx,.resx, .resources,.mdb,.vjsproj,
.java,.jsl,.ldb,.dsdgm,.ssdgm, .lsad,.ssmap,.cd,.dsprototype,
.lsaprototype,.sdm, .sdmDocument,.mdf,.ldf,.ad,.dd,.ldd,.sd,
.adprototype, .lddprototype,.exclude,.refresh,.compiled,.msgx,.vsdisco

Note that you can also within your application specify more extensions or allow other extensions that might not otherwise be allowed by using a web.config inside your folder.

Warning do not do this since .config files could include sensitive information.

For example, if you drop a web.config inside your application with the following contents it will let users download .config files:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <remove fileExtension=".config" />
                </fileExtensions>
            </requestFiltering>
        </security>
  </system.webServer>
</configuration>

For more info see: http://www.iis.net/configReference/system.webServer/security/requestFiltering

Finally, if you are going to use some random extension, you need to make sure that IIS also knows what mime type to use and know the extension that you will use if you want to allow static file downloads, and that needs to be inside the staticContent section (appcmd list config -section:system.webServer/staticContent). You can also configure this inside web.config just as above.