Thirty seconds with google looking for, say, IIS cpu time limit pulls up plenty of stuff. Like docs for the CGITimeout, CPUCGIEnabled, and CPULimitProcStop properties from Microsoft's knowledge base. Sure looks like IIS does all this already.
Patching perl won't fix this problem without a damned impressive patch. The ones you've proposed just won't work -- besides being undone by the first alarm set in the process, it won't catch all the cases where things run wild anyway.
It's possible that I have no clue here how webservers work, haven't been up to my elbows in perl 5's guts on several platforms, haven't been working on perl 6, and aren't the guy who'd have to design the bits that'd be needed to make something like this work in the future. And it's also possible that everbody who's commenting is utterly clueless here.
Or... not. Sometimes when everyone tells you you're wrong you actually are wrong.