When a user runs a program on her computer, that program runs with the rights associated with that particular user. If the program attempts to access network resources, such as network folders or an Exchange server, the access succeeds only if the user who ran the program has the rights to do so. This is more complicated in web applications because the web server is not running under the end user’s login name. To access a message store on a web user’s behalf requires an understanding of the Windows NT authentication process. This process and its relation to IIS are explained in this section.

When IIS is installed on a computer, the installation process creates a username on that computer called “IUSR_ComputerName“, where ComputerName is the name of the computer on which IIS is installed. For example, if IIS is installed on a computer named “MyServer”, the username “IUSR_MyServer” is created on that computer. IIS keeps track of the password for this username. When script on a web page attempts to access a protected resource, IIS tries to gain access to that resource in two ways. First, IIS tries to access the resource as the IUSR_ComputerName username. If an administrator has granted access rights to that user, the access succeeds. If not, IIS attempts to communicate with the web user’s browser in order to determine the identity of the web user. If it can be reliably determined who the web user is, IIS can impersonate the web user for the purpose of gaining ...