I'm setting up a web site in IIS 6.0 and am confused about accounts and permissions. I've got an app pool set up especially for this web site, with a particular user. The Authentication Methods property sheet has the IUSR_XXX account as the anonymous user.
According to this question: In IIS 7.0, what is the difference between the application pool identity and the web site identity?
..the application pool account should be used for file access. But I'm not seeing that behavior. If I only give the web site user account permission to the file system, I get access denied errors. But if I give IUSR_XXX read permission to the files, they'll display.
So what's going on here? Is the behavior different between my IIS 6 and the IIS 7 in that question? Should I ignore the app pool and just change the anonymous user? What's the recommended setup here for a site that will need to access a database and write to certain folders in the file system?
Any help would be much appreciated, thanks!
Best Answer
The IUSR and the Network Service account are both used by IIS. Here are my recommendations...
The IUSR and Network Service need to have Read access to all the application files (.aspx pages etc.) and dlls for the website. The IUSR would need to have Write access to any folder where the website is writing files (this could be dangerous on a public site). The database would be accessed by a SQL or Network account specified in the web.config in the database connection section.
Same as above. The Write access to any folder is now better protected because the person using the website has been authenticated by your application.
The user credentials of the authenticated user need to have Read access to all the application files (.aspx pages etc.) and dlls for the website. The user credentials of the authenticated user would need to have Write access to any folder where the website is writing files. The database would be accessed by a SQL or Network account specified in the web.config in the database connection section or by the the user credentials of the authenticated user.
Update The Network Service account (or whatever account you are using for your application pool) and the IUSR work together. It is not always 100% clear to me which account is controlling access to which resources but I do know from experience that you need to have both. The IUSR is used for accessing .aspx pages, image files, static content, etc. The Network Service account accesses the IIS metabase, your application dlls, the .Net framework files, etc. Hope this helps.