The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.
For example, if you try and create a folder in the C:\Windows folder then you'll find that you can't. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL's).
With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you'll see the following:
See that Special permission being inherited from c:\:
That's the reason your site's ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.
In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).
You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it's site root folder.
You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don't store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.
So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it's group membership dictates.
An ApplicationPoolIdentity's group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you're interested in (you will have to add the User Name column to the list of columns to display:
For example, I have a pool here named 900300 which has an Application Pool Identity of IIS APPPOOL\900300. Right clicking on properties for the process and selecting the Security tab we see:
As we can see IIS APPPOOL\900300 is a member of the Users group.
as monojlds says it's a credential issue - the error means the credentials you have entered for the app pool are incorrect or not in the right group.
is it a local user or a domain user? maybe the box can't authenticate against the domain being used? could the account be locked out? (that last one used to get me a lot)
on the IIS server you can test the credentials using runas on the command prompt.
runas /user:<username> cmd
it'll ask for you password and either launch another cmd or provide an error message. That'll help troubleshoot the user credentials.
Matt
Best Answer
When I see this in IIS 6 and the user has a custom app pool identity, the problem typically originates in the entry of credentials in the app pool properties. So there are generally two origins for the issue.
One is a simple typo in the credentials, unfortunately the form validation is not very good in IIS 6, so I often will have users change the identity of the app pool, then immediately check that the credentials "took" and/or check the System event log for W3SVC and related errors.
The second specific cause I see in this scenario is when people enter an Active Directory user, they sometimes forget to add the domain name. (e.g. DOMAIN\Username). Which leads me to the next point, the IIS_WPG is the builtin local group which grants members the required ACLs to run as an app pool identity. The
aspnet_regiis.exe -gagrants the same thing to users, but IMO it is best suited for use when the IIS_WPG group is not an option. Also a dedicated app pool user account is generally a good idea. If the AD user password is changed, you'll bring your app to its knees until you again re-enter the credentials in the IIS Manager.Edit: I added some para breaks to make this chunk more readable.