You can use a URL Rewriter like IIRF to do this. Insert rules to return 404's or whatever you like to requests that come from disallowed IPs. This will work with any web app platform: PHP, Java, ASP.NET, RoR, static html or images, whatever.
The readme gives an example like this:
RewriteCond %{REMOTE_ADDR} ^(?!127.0.0.1)([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})(.*)$
RewriteRule ^/(?!redirected.htm)(.*)$ /redirected.htm
and it says:
The above condition evaluates to true when the server-variable "REMOTE_ADDR" evaluates to an ip address which is NOT 127.0.0.1. The ?! is a zero-width negative lookahead, and the (.*) at the end of the regex is to catch any rubbish that sometimes appears in that variable. The rule following the condition says, for any URL which is not "redirected.htm", map it to "redirected.htm". This prevents endless re-writing. (You could also prevent endless rewriting with an [L] modifier flag).
This RewriteCond+RewriteRule redirects any externally originating requests to the IIS server. You could do something similar for a specific set of whitelisted IPs.
IIRF is an ISAPI filter written in C, and is similar in philosophy to mod_rewrite. It works with IIS5, 6, or 7. You will need admin access to set it up. You don't need to "program it", but there is a ini file that has similar syntax to .htaccess (specifically for the mod_rewrite rules).
IIRF is free and open source.