In IIS 5.0, by default the identity account of an application pool is ASPNET, and the website, unless impersonation is enabled, run under the account of its application pool's identity.
But in IIS 7.0, there are two places where I can configure the account that my website will use. At the application pool level and at the website level.
I expected website identity to override the application pool identity, but I've just seen that it is not the case.
So, what's the difference?
Best Answer
The two accounts are different things. Think of the website identity representing the user of the site. If you create a new website this account is the anonymous IIS account. If you disable "Anonymous Authentication", your users will have to authenticate against the website (in a intranet/Windows domain site this could be implicite using the network credentials.)
The application pool identity is the Windows account needed for running your assemblies. Normally it is the "Network Service" account which is a least privileged account with limited user rights and permissions. It does have network credentials. This means that you can use it to authenticate against network resources in a domain. You can also use it to access a SQL Server database with integrated security.
For example, if your ASP.NET application has to write to a folder, you have to grant the permission to the application pool account, not to the website account. For more information on application pool identities, read here.
Note: In IIS 7 there is a way to use the same account of the Application Pool identity for the anonymous website account: