I would like to lock down the web.config file as much as possible, so that as few accounts as necessary can read the file. I saw the list here http://msdn.microsoft.com/en-us/library/ms178699.aspx but allowing the Users group read permission on the web.config file seems excessive. Thanks.
Iis – Web.config file permissions
asp.netiispermissionsweb.config
Best Answer
The Users group would of course apply to the local machine. What are you worried about them reading in the web.config? If it's your connection strings, you can encrypt those.