IIS_IUSRS and IUSR permissions in IIS8

When I added permissions for IIS_IUSRS to the site folder, resources like JavaScript and CSS were still inaccessible (error 401, forbidden). However, when I added IUSR, it started working. So for sure you cannot remove the permissions for IUSR.

I hate to post my own answer, but some answers recently have ignored the solution I posted in my own question, suggesting approaches that are nothing short of foolhardy.

In short - you do not need to edit any Windows user account privileges at all. Doing so only introduces risk. The process is entirely managed in IIS using inherited privileges.

Applying Modify/Write Permissions to the Correct User Account

1. Right-click the domain when it appears under the Sites list, and choose Edit Permissions

Under the Security tab, you will see MACHINE_NAME\IIS_IUSRS is listed. This means that IIS automatically has read-only permission on the directory (e.g. to run ASP.Net in the site). You do not need to edit this entry.

2. Click the Edit button, then Add...

3. In the text box, type IIS AppPool\MyApplicationPoolName, substituting MyApplicationPoolName with your domain name or whatever application pool is accessing your site, e.g. IIS AppPool\mydomain.com

4. Press the Check Names button. The text you typed will transform (notice the underline):

5. Press OK to add the user

6. With the new user (your domain) selected, now you can safely provide any Modify or Write permissions

IUSR is part of the IIS_IUSER group, so I guess you can remove the permissions for IUSR without worrying. Further reading

However, a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE. This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities.

The Windows operating system provides a feature called "Virtual Accounts" that allows IIS to create unique identities for each of its Application Pools. DefaultAppPool is the default pool that is assigned to all Application Pools you create.

To make it more secure you can change the IIS DefaultAppPool Identity to ApplicationPoolIdentity.

Regarding permissions, Create and Delete summarize all the rights that can be given. So whatever you have assigned to the IIS_USERS group is all that they will require.

@EvilDr You can create an IUSR_[identifier] account within your AD environment and let the particular application pool run under that IUSR_[identifier] account:

"Application pool" > "Advanced Settings" > "Identity" > "Custom account"

Set your website to "Applicaton user (pass-through authentication)" and not "Specific user", in the Advanced Settings.

Now give that IUSR_[identifier] the appropriate NTFS permissions on files and folders, for example: modify on companydata.