In a Windows domain, is it possible to create a Active Directory group "WebDevelopers", which is just like the normal user group, except that users also have admin rights on their local IIS (e.g., inetmgr & iisreset)?
Note:
Not admin rights as a whole, because then they could install programs and modify systems.
This is tough simply because you have to have elevated permissions in most cases to be able to even run the IIS Manager snap-in, let alone execute commands to perform some of the admin functions.
Not to mention the IIS security model stores users within itself and then delegates permissions to individual sites and applications.
I simply don't know if there is a GPO or some other settings where you can pre-configure all of this. Most likely you could create a massive PowerShell script to configure ACLs for every possible program they need and then use the IIS PowerShell cmdlets to configure permissions within IIS.
Are there specific functions they need to be able to perform locally?
Alternatively, are these developer machines we are talking about? If so they most likely will need elevated permissions anyway to be able to run Visual Studio or any other IDE. Not to mention current development trends typically require the installation of packages, SDKs and other things to manage. If these are dev machines you might want to seriously consider providing local admin rights and having a re-image system in place to handle things when they go wrong.