LATER EDIT : Could it be that IIS is not case sensitive for URLs and Apache is and someone could use this information to further increase the confidence factor in OS/WebServer detection?
I was reading about the useful UrlScan tool here and came across
IIS 6.0 does not include the RemoveServerHeader feature because this feature offers no real security benefit. Most server attacks are not operating system?specific. Also, it is possible to detect the identity of a server and information about the operating system by mechanisms that do not depend on the server header.
Of course this stirred my curiosity since I don't understand how you can detect the OS and/or the web server without using the server header. However extensions (.php, .asp, .aspx, .do, .py etc. etc.) cannot be the answer to this question nor looking for "__VIEWSTATE" or similar hidden input fields in the response content.
Is there some secret way that I don't really know about?
EDIT 1 : I assume customized error pages (not the default ones which clearly show the web server; knowing the web server gives you a strong clue about the OS too)