I'm using IIS7 (Windows Server 2008 x64) and I have a website setup using anonymous authentication. The anon user identity is configured as IUSR. The application writes files to a folder and I'm giving the IIS_IUSRS group RW permissions to the folder. This doesn't work. I must explicitly give IUSR RW perms to allow the application to write to the folder.
It's my understanding that the application pool identity is automatically added to the IIS_IUSRS group. I assumed that IUSR (or any anonymous user identity) was also an implied member of the IIS_IUSRS group as well. It doesn't appear that this is the case.
While troubleshooting, I use Process Monitor to view access to the folder and determined that Network Service (the application pool identity) is impersonating IUSR (this is what I expected) but giving RW perms to the IIS_IUSRS group didn't allow IUSR to access the file (Access Denied).
Can anyone explain whether IUSR is or isn't a member of the IIS_IUSRS group?
I've reviewed the following documentation and found no solid answer:
That is because these are two different things. IIS_IUSRS is the group for IIS Worker Process Accounts. This means the identity that the application pool itself runs under. IUSR is the anonymous user identity. That means the identity that IIS believes to be the user who is accessing the site.
Now even though you didn't say it, let me guess - this app is classic asp? (Otherwise, if it is .Net then you must be using impersonation). Either way, what happens is that resources are accessed as the impersonated identity, meaning, the anonymous user in your case, meaning IUSR. That is why you have to grant it the rights. In .Net, if you turn off impersonation, you will find that IIS_IUSRS will come into play as you are expecting. In Classic ASP (and for static files), you don't have a choice, impersonation is always "enabled"; so its always the user identity which is used, not the pool identity. So since IIS_IUSRS is for pool identities, it is not in play.
Edit after OP added more information:
It is easy to confuse IUSR and IIS_IUSRS because of their names. To way to see that they are different is to remember that IIS_IUSRS is a replacement for IIS_WPG in IIS6, which was the Worker Process Group. To these groups you add accounts that you want to run your pools under, not anon identities, anon privileges are supposed to be more limited. eg. sometimes you might want to use a domain account to run the pool for kerberos delegation to other network resources. Then you would add that service account to this group.
When impersonation is enabled the pool/process pretends to be the user because it was told to. In case of anon auth (your case), that user is IUSR. In case of windows auth, it would be the user's windows\domain identity. This is also why you get a performance hit with impersonation, because the process has to switch to a different identity for resource access.
If you are using .NET and anonymous authentication, then I don't see why you would enable impersonation though. In case you are not using or don't need impersonation, you should be aware of some more trickery in the case of IIS7: you can make your IUSR go away completely and end all confusion. I think you would like that, and it's my preferred method too. All you have to do is to tell it to reuse the pool identity as the anonymous identity.
So after this you will only have to deal with the IIS_IUSRS group. But dont get confused, this still doesn't mean that these two are the same! It may be possible for the process identity to substitute for IUSR, but not the other way around !
Some more IIS7 trickery to be aware of: if you look at IIS_IUSRS, it may be empty. Thats because your virtual pool identities are automatically added to it when the pool starts, so you dont have to worry about these things.
This table should help clarify better how the thread execution identity is determined: