IIS User and Group Accounts
IIS makes use of the following user and group accounts:
- ASPNET: a local user account used by IIS and ASP.NET when IIS is configured to run in IIS 5.0 Isolation mode. By default, this account cannot log on to the computer via RDC.
- IUSR_ServerName: allows users anonymous access to Web and FTP sites hosted by IIS and must be active for users to access sites without entering a valid username and password. If the server is a member of a domain, this user account is a member of the Domain Users group and the Guests group.
- IWAM_ServerName: grants the Log on as a Batch Job user right and is used for Web applications. If IIS is running in IIS 5.0 Isolation mode, out-of-process applications cannot run if this account is not active. If the server is part of a domain, this user account is a member of the Domain Users group and the IIS_WPG group.
- IIS_WPG: created on the local computer and within the domain, if the computer is a member of a domain. This local group account includes the IWAM_ServerName, Local Service, Network Service and System accounts by default.
- Local Service: permits access to the local system only and has limited rights. Grants users the right to log on as a batch job.
- Local System: permits access to log on to the local computer interactively, as a batch job, or as a service. All users who access IIS or the Indexing service do so through this account.
- Network Service: offers more permissions than the Local Service account, but grants fewer permissions and rights than the Local System account. Applications or services that log on using this account can log on as a service and can access other servers on the network. By default, Web applications use this account when IIS 6.0 is running in Worker Process Isolation mode.
Next: IIS User Authentication