This isn't ideal - and I'd rather do as above. The alternative approach I've taken is to have an external process set the permissions on the folders in IIS for read and execute, allow_pull and allow_push in the hgrc for the repository as appropriate.
In terms of shortcomings:
- Its another process that needs to know about the location of the repository.
- The process needs a mechanism to find out about updates to the groups (i.e. polling).