When Anonymous access is permitted, a remote user is not required to supply credentials to access a file. Instead, IIS 8.0 attempts to use a pre-configured account to access the resource (for example, to read a file off the hard disk). If that account has appropriate rights, then the action (typically to read the file) is performed. If the pre-configured account does not have permission to access the resource, but some other authentication mechanism is enabled that both server and client support, then the user has an opportunity to supply credentials that can access the resource. If no alternate authentication mechanism is enabled or there is no alternate authentication mechanism that both client and server support enabled, then a 401.3 (“Unauthorized due to ACL on resource”) HTTP status is generated.
By default, the configured anonymous access account is the IUSR account created when IIS 8.0 is installed. This account replaces the IUSR_<machinename> account used in previous versions of IIS.