Managing Application Pools in IIS 7

http://technet.microsoft.com/en-us/library/cc753449%28WS.10%29.aspx

• In IIS 7, application pools run in one of two modes: integrated mode and classic mode. 

Most managed applications should run successfully in application pools with integrated mode, but you may have to run in classic mode for compatibility reasons. Test the applications that are running in integrated mode first to determine whether you really need classic mode.

• http://learn.iis.net/page.aspx/624/application-pool-identities/

Application Pool Identity Accounts

Worker processes in IIS 6.0 and IIS 7 run as NETWORKSERVICE by default. NETWORKSERVICE is a built-in Windows identity. It doesn't require a password and has only user privileges; that is, it is relatively low-privileged. Running as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.
However, a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE. This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called "Virtual Accounts" that allows IIS to create unique identities for each of its Application Pools. Click here for more information about Virtual Accounts.

Securing Resources

Whenever a new Application Pool is created, the IIS management process creates a security identifier (SID) that represents the name of the Application Pool itself. For example, if you create an Application Pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.
You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL).

1. Open Windows Explorer
2. Select a file or directory.
3. Right click the file and select "Properties"
4. Select the "Security" tab
5. Click the "Edit" and then "Add" button
6. Click the "Locations" button and make sure you select your machine.
7. Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box.
8. Click the "Check Names" button and click "OK".

By doing this, the file or directory you selected will now also allow the "DefaultAppPool" identity access.