It depends on the version of Windows/IIS. In 2003 (IIS 6) and earlier, this can't be done. You can only enable/disable ciphers. In Windows 2008 (IIS 7) and later, you can do this through a GPO (if you're domain joined, and I'm guessing this server isn't if it's PCI compliant).
More info here: http://technet.microsoft.com/en-us/library/cc766285(v=ws.10).aspx
If their only complaint is MD5-based MAC, you should be able to simply add the !MD5 element to your existing cipher suite to meet the recommendation.
That said, I see they complain about the use of the CBC mode as well. Unfortunately, there is no CBC cipher group. The recommendation given to you also does not exclude CBC mode cipherspecs, at least on my version of openSSL (1.0.1e). This is a shame. If you need all such ciphers to be excluded, you could exclude all the CBC ones explicitly, though you will have to update that as they are included. Note that even HIGH includes CBC ciphers.
Including both ALL and RC4+RSA is redundant. I would be loathe to trust a security consultant (even a computerized one) that cannot even construct a well-formed cipherspec that meets their own recommendations.
The SSLCipherSuite takes an OpenSSL cipher spec. You can find this in the openssl documentation (link), but I find that this documentation is usually quite out of date. However, you can test one by running openssl ciphers ${cipherspec} on your server; output will be a :-separated list of ciphers that would be allowed by the given spec, or an error indicating none were allowed.
Similarly, if you want to know what LOW contains, do:
falcon@tiernyn ~ $ openssl ciphers 'LOW'
EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:ADH-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5
!LOW means to exclude those ones. +HIGH means to prefer the high-security ones in the ordering.
If you want a line-delimited list of all the ciphers that use CBC in your cipherspec, do:
openssl ciphers ${cipherspec} | sed 's/:/\n/g' | grep CBC
Those are the ones you'd have to exclude. You may, however, find it more reasonable to grep -v CBC and include only those (just set them up in a :-delimited list and use that as the cipherspec).
Best Answer
The SSLCipherSuite directive can be used in the Server, VirtualHost, Directory, and even .htaccess contexts. This means that you can set up a separate virtualhost listening on another port, a separate directory ("example.com/JDK7Access"), or even an .htaccess file to allow a different cipher suite at your desired level.
Source: Apache 2.4 module mod_ssl documentation
If you would like to simply prioritize the use of cipher suites, you can issue the SSLHonorCipherOrder directive at either the Server or VirtualHost contexts. This makes Apache prefer the leftmost cipher it can negotiate from your SSLCipherSuite list.