Excluding the mdf, ndf and ldf files from the database engine is pretty standard these days. The other file extensions can be scanned or not, they are small and won’t take the anti-virus long to scan them.
You will want to leave the I/O scanning of the anti-virus on, just make sure that it isn’t touching the database files. You want it checking everything else which is writing to the disk.
Disable (or remove) IIS completely unless you actually need it running on the SQL Server. Then you don’t need to reconfigure the w3 service.