Since no one else is taking this question, I’ll give it a shot. Be forewarned, I don’t know how accurate this may be. I haven’t played around with IIS 6.0.
First things first: I’m assuming that you are using authentication to the Active Directory in IIS 6.0. Also, I’m assuming you are changing your passwords in the normal manner of either forcing the user to change it on logon or during a normal expiration period.
The first thing that comes to mind is that you have the group or local security policy setting of “Store passwords using reversible encryption” and/or “Do not store LanManager passwords at next password change” set. The only reason that I can see that this would cause a problem is if your IIS application is using the older LanManager authentication, however. If so, update it to use NTLM.
It could be some of the security changes in IIS 6.0 that are messing you up, but I doubt it because you are hopefully using Active Directory authentication with the previous web app.
If you have multiple domain controllers, it could be a synchronization issue between the DCs. You can force a replication using the “Sites and Services” administrative application. Otherwise, you may have to wait 15 minutes afer changing a password to use the web app.
Hope one of these puts you in the right direction.