Localstart.asp is a default page on IIS installations. This page is protected by IIS using basic authentication. The problem with this is that if I am able to bruteforce the password, I know the password for the admin on the local box.
This can be very bad since the attacker now knows the admin's password. If the box enables any network services, this is almost fatal. Even if this particular box does not have any network services, the attacker has an idea of how the admins is making up passwords. For example, if the localstart.asp admin password is "Adm1nB0xname" - the attacker has a fairly good idea of what the password is going to be on another box in the network that has more previleges such as ssh.
A word of caution to those who decide that the best way to go about it is to remove localstart.asp. It seems that simply removing causes problems in IIS. The best solution is to replace localstart.asp with a blank page and have no authentication on it.