There is a flaw in the way in which nsiislog.dll processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to fail or execute code on the user's system.
Windows Media Services is not installed by default on Windows 2000, and must be downloaded to install on Windows NT 4.0. An attacker attempting to exploit this vulnerability would have to be aware which computers on the network had Windows Media Services installed and send a specific request to that server.
For the patch, see http://www.microsoft.com/technet/security/bulletin/MS03-019.asp.