I think the members are a bit confused because of the lack of details. For example, what is contained within the index page? What kind of functionality does it have? More importantly, why are you trying to break it? As for a general strategy, when you are doing web pen testing you need to think in layers. If the target page has fields where you can input data then you can try to attack the actual functionality via sql/ldap/crlf/etc injection. If you have a local proxy such as paros you can try to attack some of the actual HTML/HTTP header traffic by manipulating session, authentication, etc data or even some more advanced injection attacks. Locally on your system you can mess with the cookies or even save a copy of the site and try client side attacks by breaking the code. If none of the application level attacks work then move down to the actual web service. If you know it is IIS then research attacks specifically meant for that web server. Many of the attacks that you performed against the web page will result in error messages that might even give you version or patch level. If those attacks don't work then try to figure out if there are supporting apps you can attack. Does the webpage have an Oracle back-end? Is there some type of authentication framework that they use? Go for those next. When all else fails drop down to the OS level. If you know it is Win2K then you have a massive amount of exploits available. If all that fails... there is always email and trojans.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER