I'm currently in the process of setting up a SharePoint 2010 farm. In my Dev Environments, I have one account that is Local Admin, Farm Administrator and runs all Application Pools.
For Production Environment, I would like to go with best Security Practices and run the Web Applications (At least 2: Main Portal and My Sites) with separate Domain Accounts.
It's been some time that I worked with IIS, and I remember that there were issues with accessing files in c:\inetpub by non-Admin users. On the other hand, SharePoint "automagically" sets most permissions anyway.
Does anyone have some experience with which permissions I need to give to the domain account at minimum in order to work?
Best Answer
Check out this technet article for the gory details. Basically, your application pool account is assigned to the WSS_WPG group on the server. WSS_WPG is then assigned access to various registry keys and files/folders. There is a table in the linked document with all of the actual permissions for WSS_WPG.