Let me rephrase my question as I investigated further:
The problem:
I have a php script that is used to upload images on my windows webserver 2008. The files are created in the correct directory. The are created and owned by the user Network Service. Network Service has full access to the uploaded file.
As soon as I try to access the uploaded file (mostly an image) via HTTP, I get an 401.3 not authorized error.
Now, if I right-click on the not accessible image and grant IIS_IUSRS group read permissions via the security tab, the image can be accessed! By default IIS_IUSRS has NO access at all for the uploaded file.
The directory containing the image files has the correct access rights set. But each file that is new uploaded to the directory is permitted for IIS_IUSRS.
The question:
How can I grant IIS_IUSRS by default access to the newly uploaded file? The appPool of the website has its identity set to its default, I also tried setting it to "networkIdentity" or so, but that did not work either.
Here is a fine solution: http://sharepointalex.co.uk/index.php/2010/06/fixing-wordpress-image-upload-on-a-windows-server-permissions-problem/
To summarize: Give your IUSR account Modify permissions for the
C:/Windows/Temp/directory and restart the IIS site. Or you could modify where php writes to using the php.ini by overwriting theupload_tmp_dirvalue which may be more preferable over letting a web application write to theC:/Windows/directory.