We had an outside security analysis done and they doscoverd the session
cookie set by the session state feature.  Business/Marketing does not want us
to use the cookieless option where the sessionid is moved into the URL. 
   Are we at risk of session hijacking?  The people that performed the
security audit recomend encrypting the session cookie, but I don't think that
is an option. 

   Any advice would be gretaly appreciated

IIS does not have a session state feature nor session state cookie.

The concept of a "session" is at the application layer, not HTTP layer where
IIS runs, so IIS does not have a session state feature and hence cannot have
a session state security risk.

Your question completely depends on the application framework you run on top
of IIS. I am guessing that you are talking about an ASP.Net application, and
if so, you should consult the Forums at www.asp.net or
microsoft.public.dotnet.framework.aspnet for better support for your
question.

My understanding is that ASP.Net Sessions are configurable to be as secure
as you define. Security is never an absolute yes/no -- it is a inherently a
tradeoff between risk and cost. You need to first define your own tradeoff
point, and then configure technology to meet your needs.

  We had an outside security analysis done and they doscoverd the session
cookie set by the session state feature.  Business/Marketing does not want
us
to use the cookieless option where the sessionid is moved into the URL.
   Are we at risk of session hijacking?  The people that performed the
security audit recomend encrypting the session cookie, but I don't think
that
is an option.

   Any advice would be gretaly appreciated

certificate services fails to start
Username/Password input dialog
IIS 6 Impersonate failed for ASP
How to control bandwidth per web site on IIS
Authentication problem
Win2003/IIS 6 HTTP 400 Error
Using integrated authentication
Transfering a Secure Server Certificate
IP address and domain name restrictions
Users get directory of virtual web site