Application Pool Users

Application pools (w3wp.exe) run under the user that you specify, which IIS uses to access various system and network resources. For example, they have access to website data on the server's hard disk drive, the ability to perform certain system functions, access to the registry, or access across the network. The default user is the Network Service account, which has limited permissions on the web server and network, but is assigned sufficient permissions to run a standard website. IIS 8.0 allows you to select from three built-in accounts or to create your own custom user (see Figure 8.29).

Figure 8.29

The built-in accounts are

• Network Service
• Local Service
• Local System
• Windows Application Pool Identity

The following sections discuss the four built-in accounts and how to create a custom user account.

Network Service Account

In Windows Server 2008, the default application pool user is the built-in Network Service account. Though the AppPoolIdentity account (see below) is the default for IIS 8 in Windows Server 2012, the Network Service account remains available. It has minimal permissions on the local computer and network. If you are accessing a resource on another device in the same domain (or in a trusted domain), the Network Service account's network credentials are used to authenticate to the server. This device can be a database, a UNC share, or any ...