I am trying to understand IIS file permissions. A given file has "full control" permissions for IIS_IUSRS. But it seems all Application Pool Identity users cannot access the file. (I have noticed that some of my Application Pool Identity users were not members of IIS_IUSRS for some reason, so I simply added them manually.)
When a given Application Pool Identity is a member of IIS_IUSRS, how can it be that the Application Pool Identity user cannot access the file if IIS_IUSRS can access it? Please see my screenshots below. Thank you.
Best Answer
When using anonymous authentication by default IIS uses a specific user named
IUSRto access files. This user is automatically a member of the WindowsUsersbut not a member ofIIS_IUSRSIf you removed permissions for
Usersfrom your files, the default site setup wont work anymore.I usually don't use
IUSR, to change this in the GUI, select the server or site node and open theAuthenticationicon, selectAnonymous Authenticationand theEditin the Actions pane on the right:change from a specific user to
Application pool identity, now the file access is done via this account and it should be able to access your files.You can do the same in PowerShell:
For the whole server:
For a specific site:
I wrote a bit about this in a blog post