That's by design. The <modules> section of system.webServer essentially defines IIS itself. If you <clear />, you won't be left with anything. In applicationHost.config, you should have something like this:
<modules>
<add name="HttpCacheModule" lockItem="true" />
<add name="DynamicCompressionModule" lockItem="true" />
<add name="StaticCompressionModule" lockItem="true" />
<add name="DefaultDocumentModule" lockItem="true" />
<add name="DirectoryListingModule" lockItem="true" />
<add name="IsapiFilterModule" lockItem="true" />
<add name="ProtocolSupportModule" lockItem="true" />
<add name="HttpRedirectionModule" lockItem="true" />
<add name="StaticFileModule" lockItem="true" />
...
Notice the lockItem properties. Because there are 1 or more lock items, will throw a lock violation.
So, you either need to specifically remove just the items that you don't want from web.config, or if you really need to clear them all and add back your own, then in applicationHost.config remove the lockItem="true" on each of those elements, and make sure to add enough of them back so that your web server will actually work.
Edit
(Appended further information from Daniel, per his request. (Scott))
Here is what I did based on what Scott said:
Opened applicationHost.config in %windir%\system32\inetsrv\config. Note that in 64 bit Windows Server 2008, you'll need to edit the file with a 64 bit editor (the native Notepad will do, but Notepad++ won't be able to find the file). See here for more information about this.
In the <system.webServer> element, change the lockItem attribute on all modules to false.
In my web application's web.config file, was then able to do the following:
<system.webServer>
<modules>
<clear />
</modules>
</system.webServer>
Of course, as Scott points out, this means there's no web server left, so here is the minimum set of modules I needed to get my stuff running again (YMMV):
<add name="HttpRedirectionModule" lockItem="false" />
<add name="StaticFileModule" lockItem="false" />
<add name="CustomLoggingModule" lockItem="false" />
<add name="CustomErrorModule" lockItem="false" />
<add name="IsapiModule" lockItem="false" />
<add name="AnonymousAuthenticationModule" lockItem="false" />
Also, for anyone interested, here's the backstory as to why I'm doing this.
I found the solution. Apparently, it did not register my .NET 4.0 installation. I simply had to run this program with parameters: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i", and it fixed it!
Note that the path "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" may differ according to what version of the .NET framework is installed!
To see what path you need, open "C:\Windows\Microsoft.NET\Framework\", and see what the folders name is, and adjust it accordingly, like so: "C:\Windows\Microsoft.NET\Framework\<version>\aspnet_regiis.exe"
Best Answer
I couldnt browse it locally by default (probably the firewall) - i had to wire a mock domain in using the hosts file and looping it back to the IP the site was bound to.
this then gave me the full error details which was insufficient permissions on web.config.
so, the reason why it couldnt show the detail is because it couldnt even read the web.config to read my instruction of 'show me the error details' (customErrors="off")