I'm running apache as my webserver on a win2003 server to suit certain company policies.
Apache is fine, then everything is secured by default. Please note we're talking about what you can access through the webserver. If your windows box exposes the filesystem through other means like the "network neighborhood" then its a completely different problem.
I have deployed a basic ACL policy but I don't like the fact that user can if they so wish currently view the wiki directory structure and actually view files like doku.php as well as all the other files.
Nobody can see the contents of doku.php because it's parsed by PHP and only the result is delivered to the user. The directory structure is protected by .htaccess files (make sure your apache honors them). Eg. it forbids accessing the data directory. You may also want to disable Apache's directory indexing. Refer to the Apache manual on how to do this.