I have a web application which I need to grant permissions to a file share that's hosted on another machine in my DMZ. Users are accessing the application anonymously using the IUSR_Machine account which appears to be the standard configuration. The application needs to serve files that are hosted in a share that the web server accesses across the network.
How do I grant this user account access to the remote file share? Is this common? What is the best practice for this?
Use a domain user account as the anonymous account instead, and grant access to that account. You can do this all the way down to on a per-page basis, so you might not need to edit any permissions already used by IUSR_MACHINE on the local box if it's a specific page or request that triggers the remote file share access.
The tool SUBINACL could be used to replace local IUSR_MACHINE ACLs with the new user, but be careful; it's easy to screw up the permissions with that as well.
You could also experiment with allowing Machine$ connections to that share, but I suspect it'll be a null user rather than the machine account in most cases; you might have a case where that's not, uh, the case.
I would add an Access Control Entry (ACE) for the webserver\IUSR_Machine account to the share/ntfs permissions.