400 Bad Request for URLs containing "&" on IIS7 with UrlRoutingModule

I'm setting up ASP.net MVC 2.0 on an old WebForms site that runs on IIS 7. The old site has a 404 handler set up like:

<httpErrors errorMode="Custom">
    <remove statusCode="404" subStatusCode="-1" />
    <error statusCode="404" prefixLanguageFilePath="C:\..." path="/error404.aspx" responseMode="ExecuteURL" />
</httpErrors>

This 404 handler is used to simulate URL rewriting, so a URL like "/+yes-&-no" would get routed to it, and Server.Transfer()ed to the correct page. This all works.

When setting up ASP.net MVC 2.0, I add this to the web.config:

<modules runAllManagedModulesForAllRequests="false">
    <remove name="UrlRoutingModule" />
    <add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</modules>

Once this is added, all URLs containing an ampersand (e.g. "/+yes-&-no") return:

Bad Request

How do I keep the UrlRoutingModule 开发者_运维问答enabled, and still allow URLs with ampersand?

Rejected Solutions:

1. I was able to get these registry changes to work, but they have been vetoed out of security concerns.

2. I was able to use URL Rewriting to change the "&" to "and", but that has SEO implications because that changes the <h1>, etc.

   <rule name="RemoveIllegalAmpersands"> <match url="(+.)&(.))" /> <action type="Rewrite" url="{R:1}and{R:2}" /> </rule>

3. I saw the requestPathInvalidCharacters, web.config element but we can't try it because we're still on .NET 3.5

Are there any other solutions that I've missed?

---

Have you taken a look at this post by Hanselman?

http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx

He describes how to tweak what characters are considered invalid (look for requestPathInvalidCharacters on his blog post).

Be aware that there are several landmines to be aware of if you tweak this.