I have been here: http://forums.iis.net/p/1168473/1946312.aspx
http://www1.ccny.cuny.edu/facultystaff/it/security/upload/CIS_Microsoft_IIS7_Benchmark_v1-2-0.pdf (search HTTPOnly)
This isn't working in IIS 7.5
Double checked that this is applied in web.config - it is
Looking around searching on this issue it appears that only IE respects this cookie attribute?
In particular - the offending cookie is ASPSessionXXXXXXXXXX cookie @ morephotos.com
Is the only solution the URL Rewrite rule?