On my server, the IUSR_MYSERVER account has write access to some directories. I know this because if you check effective permissions, it says it can "Create Files / Write Data" and "Create Folders / Append Data". The trouble is, if I go look at permissions that are defined, the IUSR_MYSERVER account only had Read & Execute permissions, and nothing more.
This account isn't a member of any groups. What are some things I can check to determine how this account has access to write to files?
Edit: Here is a list of permissions defined for the directory:
Allow Domain Users (MYDOMAIN\Domain Users) Read & Execute
Allow CMS Account (Specific account from our CMS that uploads content) Modify
Allow Internet Guest Account (MYSERVER\IUSER_MYSERVER) Read & Execute
Allow Launch IIS Process Account (MYSERVER\IWAM_MYSERVER) Read & Execute
Allow Web Group (MYDOMAIN\Web Group) (This is a group of users who work on the website) Modify
Allow Administrators (MYSERVER\Administrators) Full Control
Allow CREATOR OWNER Full Control
Allow SYSTEM Full Control
Allow Users (MYSERVER\Users) Special (Allowed: Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Create Files / Write Data, Create Folders / Append Data, Read Permissions Denied: None)
Allow users (MYSERVER\Users) Read & Execute
An account doesn't necessarily have to be a member of groups to pick up permissions that aren't specifically defined; the
Authenticated UsersandPre-Windows 2000 Compatible Accessgroups are a couple common examples.If you can post the permissions list for the directory, stripping out any private info, that may help to find the source.
Accounts are always members of some groups. In windows these are referred to as implicit groups or identities. Some examples of this are everyone, self ,interactive, authenticated users. For 2003 the list of what they are and what they contain can be found here, for 2008 and above the list can be found here
The account is in "Users", which has the rights you say you're confused by.