Each web site that you create in IIS has an application pool associated with it - this is basically an execution sandbox for that website.
Prior to IIS 7,5 - the user NETWORK SERVICE was assigned as the user identity for each of these application pools by default,
And for web applications like DNN that require full access permissions - it was this user "NETWORK SERVICE" - that you would
always be told to grant FULL ACCESS permission for the DNN folder
This however changed in IIS 7,5 - now by default a new VIRTUAL app pool user is assigned to each new application pool.
The idea being that this added a new layer of security granularity - each app pool has its own insulated system user.
So now - by default - instead of needing to grant FULL ACCESS to NETWORK SERVICE you actually need to be granting FULL ACCESS to a special virtual user called DefaultAppPool .
Now while this is a great idea in principal - Microsoft actually stuffed up a little early on when it comes to how this "User" is managed.
It was not actually not possible by default to adjust or assign permissions via this VIRTUAL user to the web sites folders because the WINDOWS Access Control List browser layer does not actually believe that the user exists - since it does not actually have a user profile. Basically - windows does not show DefaultAppPool as a user you can assign permissions to.
It not actually that hard to get the ACL to see this user - but you have to do it manually:
-------------------------------------------------------
- Open Windows Explorer
- Locate and select the directory that you set as your website root.
- Right click the file and select "Properties"
- Select the "Security" tab
- Click the "Edit" and then "Add" button
- Click the "Locations" button and make sure you select your machine.
- Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box.
- Click the "Check Names" button and click "OK".
By doing this, the directory you selected will now also allow the "DefaultAppPool" identity access
===============================================
Once you have done this you should be able to assign FULL ACCESS to the DefaultAppPool user - in the safe knowledge that this FULL ACCESS permission is ONLY available to the specific APPLICATION POOL associated with your website and not any other entity, Basically - it prevents the application pool gaining access to any other folders controlled by a different application pool.
If this all seems a bit like messing around - you can always change the application pool identity back to NETWORK SERVICE - since in reality unless you are running your own banking system its unlikely that you really need to lock down security to the level of granularity this new feature offers.
Westa
PS - there is another option that revolves around creating a new user manually for each application pool - which actually gives you the highest real level of security granularity - create a user "myAppPoolUser001" - assign your application pool identity to this user - grant this user FULL ACCESS - but if you do this you also need to make sure you grant FULL ACCESS to the temporary folder used by asp.net - which if you are aspnet 3.5 or less should be something like C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\