When and How?
Could the IIS-hosted WCF service make use of HTTP transport security if the IIS virtual derectory that contains the service does not support it?