But nowadays, I think that with the security built into current platforms such as WS 2012 and 2012 R2 and surely the upcoming Threshold/Win10 release, this problem is diminishing in importance when viewed from a security angle. This is even more so if the IIS layer is internal facing rather than internet-facing.
Time to put on my security hat.
So, I wouldn't be so trusting. You're right when you say that security in the OS level has increased, but as more and more developers right web sites the security of web applications has, well, decreased. Most attacks now target the applications, not the infrastructure, and if you look at how many SQL injection attacks happen successfully ever year we, as an industry, aren't fixing even the most basic problems well. This is both a matter of education and framework design (use an ORM people, please).
And just because it's an internal app doesn't make it any less attackable. Permera, google, et al have been the subject of attacks where malware has ran within the corporate network, attacking internal applications and stealing data and secrets simply because people assume that internal is safe. It's not. Internal networks should be treated as hostile.
Personally I'd keep them apart for easier scale up and scale out more than security.