Security is a massive topic. To be effective, the security policy of an organization must be enforced at every level of the technical architecture, and must be reinforced via business policies and procedures.
Web server hardware should be kept in a secure room, free of environment hazards, with access controls, air conditioning, and so on. Firewalls and proxy servers must be configured to prevent unauthorized access and to keep out malicious content (this should include the disabling of any ports that don't need to be open, and careful control of those that do).
Network configurations and password control should be effectively managed and monitored.
Audit logs should be kept of all failed attempts to gain access to the system. Virus-checking software should be installed on file servers, hard disks, and so on before any device or computer is allowed access to the network. Web server software-access controls should be carefully managed; virtual directories should be created and maintained carefully in the light of security issues.
Operating system permissions (on files and directory structures as well as on executable content) should be carefully controlled and monitored, and database permissions and security controls should be afforded the attention they deserve. Application-level controls, where they exist, should be carefully designed, managed, and monitored.
The use of SSL to manage interactions between the browser and the Web server can help protect sensitive data being sent to and from the Web. ActiveX controls should only be used in situations where they're absolutely necessary, and even then with a great deal of caution and control over what they can and cannot do. Digitally signing an ActiveX control only provides the user with confidence that he or she can download it; it doesn't ensure that the ActiveX control cannot cause unexpected damage or provide a backdoor into the system.
Remember that security is a journey, not a destinationlnew security "holes" are found in software components all the time, new viruses appear daily, and complacent companies are the hacker's dream.