I was stuck with authorization issues with a web application trying to call COM+ applications in IIS. But when the security hops go beyond 2 levels of access, it becomes more difficult to find the root cause. Good thing I found this tool from Microsoft called AuthDiag 1.0. This tool is designed to aid customers in effectively troubleshooting and determining the root cause of the problem. It works with IIS 5.x and 6.0 (sad to say it doesn't work with IIS 4.0 which runs on top of Windows NT 4.0). It will analyze metabase configuration and system-wide policies and warn users of possible points of failure and guide them to resolving the problem. AuthDiag 1.0 also includes a robust monitoring tool called AuthMon designed at capturing a snapshot of the problem while it occurs in real-time. AuthMon is robust and specially designed for IIS servers removing any information not pertinent to the authentication or authorization process.
To know more about this tool, you can download a Microsoft webcast that focuses on how to use this tool