Disable TRACE IIS 6



We have had results from a pen test and they state that we have TRACE HHTP
enabled and also the OPTIONS request returns GET, HEAD, POST, PUT,
DELETE,TRACE, OPTIONS, CONNECT

We have disabled TRACE via the registry (EnableTraceMethod = 0)
I have installed urlscan and allowed only GET, HEAD, POST verbs
I've got into the home directory > configuration for the root, default and
each virutal site and edited each extension so that only GET, HEAD and POST
are allowed

We do not use WebDAV - prohibited and only use ASP

However, using Nesses, netcat and wfetch all return the same:
OPTIONS still show GET, HEAD, POST, PUT, DELETE,TRACE, OPTIONS, CONNECT
TRACE / HTTP/1.0 still returns a 200 OK and not a 501
PUT /../..HTTP/1.0 returns a 403 forbidden tho I am unsure whether that
matters or not?

Any ideas? Is thois a false positve?
Thanks
.