IIS is not vulnerable as it does not use the OpenSSL library
Update, quote Troy Hunt:
Not all web servers are dependent on OpenSSL. IIS, for example, uses Microsoft’s SChannel implementation which is not at risk of this bug. Does that mean that sites on IIS are not vulnerable to Heartbleed? For the most part, yes, but don’t get too cocky because OpenSSL may still be present within the server farm.
More info here – http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
Update 2:
Microsoft blog post on IIS and Heartbleed: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx