IIS6.0 default permissions and user Rights settings summary _win server

NTFS Permissions
Directory Users \ Group permissions
%windir%\help\iishelp\common Administrators Full Control
%windir%\help\iishelp\common System Full Control
%windir%\help\iishelp\common IIS_WPG Read, execute
%windir%\help\iishelp\common Users (see note 1). ) Read, execute
%windir%\iis Temporary compressed Files Administrators Full Control
%windir%\iis Temporary compressed Files System Full Control
%windir%\iis Temporary compressed Files IIS_WPG Full Control
%windir%\iis Temporary Compressed Files Creator owner Full Control
%windir%\system32\inetsrv Administrators Full Control
%windir%\system32\inetsrv System Full Control
%windir%\system32\inetsrv Users Read, execute
%windir%\system32\inetsrv\*.vbs Administrators Full Control
%windir%\system32\inetsrv\asp compiled templates Administrators Full Control
%windir%\system32\inetsrv\asp compiled templates IIS_WPG Full Control
%windir%\system32\inetsrv\history Administrators Full Control
%windir%\system32\inetsrv\history System Full Control
%windir%\system32\logfiles Administrators Full Control
%windir%\system32\inetsrv\metaback Administrators Full Control
%windir%\system32\inetsrv\metaback System Full Control
Inetpub\adminscripts Administrators Full Control
Inetpub\Wwwroot (or content Catalog) Administrators Full Control
Inetpub\Wwwroot (or content directory) System Full Control
Inetpub\Wwwroot (or content directory) IIS_WPG read, execute
Inetpub\Wwwroot (or content directory) IUSR_machinename Read, execute
Inetpub\Wwwroot (or content directory) ASPNET (see note 2). ) Read, execute

Note 1: You must have appropriate permissions on this directory when you are using Basic authentication or integrated authentication and when you configure custom errors. For example, when error 401.1 is present, the user will see the expected custom error details only if the logged-on user is granted permission to read the 4011.htm file.

Note 2: By default, asp.net is used as the ASP.net process identity in IIS 5.0 isolation mode. If you switch asp.net to IIS 5.0 isolation mode, asp.net must have access to the content area. asp.net process isolation is described in detail in IIS help. For additional information, please visit the following Microsoft Web site:

asp.net process isolation
Http://technet2.microsoft.com/WindowsServer/zh-CHS/Library/32f8749c-753e-4c70-8ed7-f5defacc6adf2052.mspx?mfr= True (http://technet2.microsoft.com/WindowsServer/zh-CHS/Library/32f8749c-753e-4c70-8ed7-f5defacc6adf2052.mspx?) Mfr=true)


Registry Permissions
Location user \ Group permissions
hklm\system\currentcontrolset\services\asp Administrators Full Control
hklm\system\currentcontrolset\services\asp System Full Control
Hklm\system\currentcontrolset\services\asp IIS_WPG Read
Hklm\system\currentcontrolset\services\http Administrators Full Control
Hklm\system\currentcontrolset\services\http System Full Control
Hklm\system\currentcontrolset\services\http IIS_WPG Read
Hklm\system\currentcontrolset\services\iisadmin Administrators Full Control
Hklm\system\currentcontrolset\services\iisadmin System Full Control
Hklm\system\currentcontrolset\services\iisadmin IIS_WPG Read
Hklm\system\currentcontrolset\services\w3svc Administrators Full Control
Hklm\system\currentcontrolset\services\w3svc System Full Control
Hklm\system\currentcontrolset\services\w3svc IIS_WPG Read


Windows User Rights
Policy user
Access this computer from the network Administrators
Access this computer from the network ASPNET
Access this computer from the network IUSR_machinename
Access this computer from the network IWAM_machinename
Access this computer from the network Users
Adjust process memory Quotas Administrators
Adjust process memory Quotas IWAM_machinename
Adjust process memory quotas Local Service
Adjust process memory Quotas Network Service
Bypass traverse checking IIS_WPG
Allow local logons (see note) Administrators
Allow local logons (see note) IUSR_machinename
Deny local logon to the ASPNET
Impersonate the client after authentication Administrators
Impersonate client ASPNET after authentication
Impersonate the client after authentication IIS_WPG
Impersonate the client Service after authentication
Log on to the ASPNET as a batch job
Log on as a batch job IIS_WPG
Log on as a batch job IUSR_machinename
Log on as a batch job IWAM_machinename
Log on to the local service as a batch job
Logon to the ASPNET as a service
Login as a service network service
Replace process level token IWAM_machinename
Replace process level token Local Service
Replace process level Token Network Service


Note: in Microsoft Windows Server 2003 with IIS 6.0, which is newly installed by default, the Users and everyone groups have the Bypass traverse checking permission. The worker process identity inherits the Bypass traverse checking permission from one of these two groups. If you remove these two groups from the Bypass traverse checking permission, the worker process identity will not inherit the Bypass Traverse checking permission through any other assignment, so the worker process will not start. If you must remove the Users and Everyone groups from the Bypass traverse checking permission, add the IIS_WPG group to allow IIS to run as expected.

Note: In IIS 6.0, if Basic authentication is configured as one of the authentication options, the "LogonMethod" metabase property for Basic authentication will be network_cleartext. The Network_cleartext logon type does not require the "Allow local logon" user right. This also applies to anonymous authentication. For additional information, see the "Basic Authentication Default Logon Type" topic in IIS Help. You can also visit the following Microsoft Web site:

Basic Authentication
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ Cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/ library/iis/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx)