First up, setting permissions does not provide security. If you know the SID of the account that has access permissions, you can send a message with that SID in it and you're in, regardless of the sender's actual account. If you want security, use certificates.
In your example, any application running in the context of the IIS_IUSRS account has receive/send permissions. Can't you impersonate a specific account?
If you don't trust the other applications on the server, though, you're already compromised.