I am trying to understand IIS file permissions. A given file has "full control" permissions for IIS_IUSRS. But it seems all Application Pool Identity users cannot access the file. (I have noticed that some of my Application Pool Identity users were not members of IIS_IUSRS for some reason, so I simply added them manually.)
When a given Application Pool Identity is a member of IIS_IUSRS, how can it be that the Application Pool Identity user cannot access the file if IIS_IUSRS can access it? Please see my screenshots below. Thank you.
Best Answer
When using anonymous authentication by default IIS uses a specific user named
IUSR
to access files. This user is automatically a member of the WindowsUsers
but not a member ofIIS_IUSRS
If you removed permissions for
Users
from your files, the default site setup wont work anymore.I usually don't use
IUSR
, to change this in the GUI, select the server or site node and open theAuthentication
icon, selectAnonymous Authentication
and theEdit
in the Actions pane on the right:change from a specific user to
Application pool identity
, now the file access is done via this account and it should be able to access your files.You can do the same in PowerShell:
For the whole server:
For a specific site:
I wrote a bit about this in a blog post