https://stackoverflow.com/questions/13948628
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianWell, for one this is different based on the version of Windows that you are running. And second, you are asking about 3 different servers. So that is probably what is making it confusing.
Development servers
First, the easiest one: Cassini. This server runs under the same account and with the same privileges as the Visual Studio instance that it's started from. Usually, this is just your own Windows account.
IIS Express uses the exact same code-base as IIS, but it will run under your own Windows account as well, the same account that started Visual Studio (or Web Matrix for that matter).
IIS 6.0
Now for IIS proper. Here you may find many accounts. First of all, the 'old' IIS 6.0 that you will still find on Windows Server 2003 machines would use the following accounts:
- Network Service (default and recommended worker processes identity for application pools in IIS 6.0 and above)
- Local Service (pretty limited access)
- Local System (used for the worker process when running in 'IIS 5.0 isolation mode', member of Administrators and has full access)
- IIS_WPG (short for Worker Process Group, not an account, but a group, worker process identities should be member of this group, to get minimal required permissions)
- IUSR_ComputerName (not used for a worker process, but rather to map anonymous visitors to a Windows account)
- IWAM_{ComputerName} (for IIS 5.0 isolation mode, you'd typically use application pools for isolation nowadays)
- ASPNET (also for IIS 5.0 isolation mode, it looks like the ASP.NET account, but in most cases it isn't)
(This list is based on the TechNet article IIS and Built-in Accounts (IIS 6.0).)
IIS 7 and above
For IIS 7, some of these listed above are no longer relevant, and some are replaced. Since these accounts are built-in to Windows, they have the same SSID everywhere, which may come in handy now and then.
If you upgraded a server from Windows 2003 to Windows 2008, of if you install IIS 6.0 compatibility features or older IIS components, you may have the old and the new accounts on one machine.
- IUSR (*replaces IUSR_{ComputerName}, so used to map anonymous users by default*)
- IIS_IUSRS (*replaces the IIS_WPG group, and so is not an account but rather a group*)
(This is based on the article Understanding Built-In User and Group Accounts in IIS 7.)
AppPool identities (since IIS 7.0)
This list is now almost complete, but we still need to understand a special type of account: the 'dynamic' AppPool identities. These are not actual accounts on the machine like the others, e.g. you can't find them listed as users in Windows. But they are virtual accounts created on the fly for the application pools, if you choose the ApplicationPoolIdentity option.
If you need to give such an account access privileges to a file or folder, you can still search for the account by typing: IIS AppPool{DefaultAppPool} (replace {DefaultAppPool} with the name of the application pool that you created).
(You can read more about this in Application Pool Identities on iis.net.)
When you install .NET 4.0, then IIS adds a new application pool to be able to run new .NET 4.0 web applications alongside the existing .NET 2.0 web applications. The installer gives this application pool the name ASP.NET v4.0, and uses the option ApplicationPoolIdentity. Hence a dynamic account is created for this new application pool, whether you use it or not.
