Iis – How to stop users directly accessing files on a website in IIS

It's a start. IUSR_ComputerName is what IIS uses for permissions of anonymous users by default. That means they will have been able to do an anonymous HTTP PUT, overwriting any file.

IIS_WPG is a group used for permissions under which your application pool runs. The way I understand it, raising the permissions of the .NET user for certain directories should be enough for you. IUSR_ComputerName should only need read permissions.

What is your application pool set to use? Instead of giving permissions to the IIS_WPG group, making a specific user account would provide some additional security if you run multiple sites.

I would recommend either saving the files to a non-web-accessible directory, or creating a random name before saving to disk.