iiswindows-server-2003
We are running Microsoft Server 2003 with IIS. We would like to give our developers access to manage IIS (through IIS Admin) but do not want them to be administrators of the entire machine.
Putting them in "Power Users" group does not seem to work.
What permissions should we grant to our developers to allow them to manage IIS (e.g. add websites, modify app pools, etc.) without giving them full admin rights to the server?
Your idea is logical except IIS does not impersonate your user. It runs as either the W3C service account or as the application pool identity (if your site is configured as an application). So the service account or application pool identity must have access to the folder or the user will get a runtime error.
My advice is to configure the site as an application and then use the web.config file to restrict access to the download folder.
This article should give you the information you need to get started. http://support.microsoft.com/kb/815151
Group Policy should handle this without problems. Example I have for locking down the C: root folder on Windows 7:
Computer Configuration > Windows Settings > Security Settings > File System > %SystemDrive%\
Best Answer
Install the IIS Management Console onto their local machine, and get them to connect to the server from their local machine. Then you can give them whatever permissions they need on the local machine, disable their ability to log on to an interactive session, and then they can't get up to too much mischief.
This is how IIS servers should be administered anyway, it's generally a bad idea to have admins (let alone devs) logging onto server just to change a minor IIS setting.
The Windows 7 version of the Admin tools (which will administer 2k3 IIS just fine using the IIS 6 management console) can be found here.