Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.
IIS APPPOOL\{app pool name}
Note: Per comments below, there are two things to be aware of:
- Enter the string directly into the "Select User or Group" and not in the search field.
- In a domain environment you need to set the Location to your local computer first.
Reference to Microsoft Docs article: Application Pool Identities > Securing Resources
Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:
icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.
However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.
This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.
Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.
Simplest interpretation of the error: IIS has detected a folder called
C:\inetpub\wwwroot\BudgetManagerMain\BudgetManager
and tried to read a web.config file from that location, but the Application Pool account hasn't been able to read a web.config file in that folder.
This is probably going to be because of NTFS permissions preventing the Network Service account (you noted above) from accessing that folder.
The Application Pool Account requires Read access to all folders and web.config files within the website.
Best Answer
In IIS6 and IIS7, the equivalent for ASP.NET to the ASPNET user is the application pool identity user. By default that's NETWORK SERVICE in IIS7, and the App Pool identity in IIS 7.5+. You can grant that user permissions to disk and it will work.
The 'better' way is to create custom users per app pool and assigning them permission to disk so that the sites are isolated from each other, and so that other applications on the server that use Network Service can't access the content of your sites. However that's a judgment call that you need to make in your situation.
The other user that comes into play is the anonymous or authenticated user of your site. That's defined in the authentication -> anonymous section of your site. In IIS7 I recommend setting that to use the app pool identity, as long as you only have 1 site per pool, or as long as each site in the app pool highly trust each other. Then you only need to maintain 1 user on disk.