Folks, I highly recommend you look into using App Pool Identities for web sites and applications. No laughs please, as I know this advice comes a few years late, but I haven't had time to experiment with them until the last few weeks when I was forced to phase out the NETWORK SERVICE account because it was interfering with my server's security.
See: http://www.iis.net/learn/manage/configuring-security/application-pool-identities For several years the easy way of getting an IIS app working was to give it the NETWORK SERVICE account, but as the number of apps grow this creates cross-cutting problems that finally drove me to phase it out. The irritating thing is that the "virtual accounts" created for App Pools don't appear in many dialogs for quick picking. I'm tired of typing "IIS APPPOOL\My Great Pool" into the permissions dialog and clicking Check after selecting local machine instead of domain. I also found that debugging an app in VS2012 running under a virtual account shows a really irritating popup warning about attaching the debugger. I was hoping to fix this via adding something to a debugger group or similar, but the only hackaround I can find was to adjust a registry setting. Despite the walls you have knock down as usual to get it working, the end results are much neater and you can get rid of NETWORK SERVICE related ACLs scattered around the place. Greg K
