I believe IIS supports locking attributes (source: http://www.iis.net/learn/get-started/planning-for-security/h...) so you should be able to lock at applicationHost.config and restrict further modifications. (I'm testing this now)

EDIT:

It causes a config error when a lock violation occurs which means the site gets an error 500 so its not an ideal fix.