Summary of iis6.0 default permissions and user permission settings

NTFS permission
Directory user \ Group Permissions
% Windir % \ HELP \ IISHelp \ common administrators full control
% Windir % \ HELP \ IISHelp \ common system full control
% Windir % \ HELP \ IISHelp \ common iis_wpg read and execute
% Windir % \ HELP \ IISHelp \ common users (see "NOTE 1 ".) Read and execute
% Windir % \ IIS temporary compressed files administrators full control
% Windir % \ IIS temporary compressed files system full control
% Windir % \ IIS temporary compressed files iis_wpg full control
% Windir % \ IIS temporary compressed files Creator Owner full control
% Windir % \ system32 \ inetsrv administrators full control
% Windir % \ system32 \ inetsrv system full control
% Windir % \ system32 \ inetsrv users read and execute
% Windir % \ system32 \ inetsrv \ *. vbs administrators full control
% Windir % \ system32 \ inetsrv \ ASP compiled templates administrators full control
% Windir % \ system32 \ inetsrv \ ASP compiled templates iis_wpg full control
% Windir % \ system32 \ inetsrv \ history administrators full control
% Windir % \ system32 \ inetsrv \ history system full control
% Windir % \ system32 \ logfiles administrators full control
% Windir % \ system32 \ inetsrv \ metaback administrators full control
% Windir % \ system32 \ inetsrv \ metaback system full control
Inetpub \ adminscripts administrators full control
Inetpub \ wwwroot (or content directory) full control of Administrators
Inetpub \ wwwroot (or content directory) system full control
Inetpub \ wwwroot (or content directory) iis_wpg reads and executes
Inetpub \ wwwroot (or content directory) IUSR_machinename read and execute
Inetpub \ wwwroot (or content directory) ASPnet (see "NOTE 2 ".) Read and execute

Note 1: This directory must have the relevant permissions when using basic or integrated authentication and When configuring custom errors. For example, in case of error 401.1, only the logged-on user is granted the permission to read the 4011.htm file, the user will see the expected custom error details.

NOTE 2: By default, ASP. NET is used as the ASP. NET process identifier in IIS 5.0 Isolation Mode. If ASP. NET is switched to IIS 5.0 Isolation Mode, ASP. NET must have access to the content area. The ASP. NET process isolation is described in detail in IIS Help. For more information, visit the following Microsoft Website:

ASP. NET process isolation
Http://technet2.microsoft.com/WindowsServer/zh-CHS/Library/32f8749c-753e-4c70-8ed7-f5defacc6adf2052.mspx? MFR = true (http://technet2.microsoft.com/WindowsServer/zh-CHS/Library/32f8749c-753e-4c70-8ed7-f5defacc6adf2052.mspx? MFR = true)

registry permission
location user \ group permission
full control of HKLM \ System \ CurrentControlSet \ Services \ ASP administrators
HKLM \ System \ CurrentControlSet \ Services \ ASP system full control
HKLM \ System \ CurrentControlSet \ Services \ ASP iis_wpg read
HKLM \ System \ CurrentControlSet \ Services \ HTTP administrators full control
HKLM \ System \ CurrentControlSet \ Services \ HTTP system full control
HKLM \ System \ CurrentControlSet \ Services \ HTTP iis_wpg read
HKLM \ System \ CurrentControlSet \ Services \ IISADMIN administrators full control
HKLM \ System \ CurrentControlSet \ Services \ IISADMIN system full control
HKLM \ System \ CurrentControlSet \ Services \ IISADMIN iis_wpg read
HKLM \ System \ CurrentControlSet \ Services \ W3SVC administrators full control
HKLM \ System \ CurrentControlSet \ Services \ W3SVC system full control
HKLM \ System \ CurrentControlSet \ Services \ W3SVC iis_wpg read

Windows User Permissions
Policy user
Access this computer's administrators from the Network
Access this computer's ASPnet from the Network
Access this computer's IUSR_machinename from the Network
access the computer IWAM_machinename from the Network
access the computer users from the Network
adjust the process memory quota administrators
adjust the process memory quota IWAM_machinename
adjust the process memory quota local service
adjust process memory quota network service
skip traversal check iis_wpg
allow local Logon (see "NOTE ") administrators
allow local Logon (see "NOTE ") IUSR_machinename
refuse to log on to ASPnet locally
simulate client administrators after authentication
simulate client ASPnet after authentication
simulate client iis_wpg after authentication
> simulate client service after authentication
log on to ASPnet as a batch job
log on to iis_wpg as a batch job
log on to IUSR_machinename as a batch job
process job logon IWAM_machinename
log on to the local service as a batch job
log on to ASPnet as a service
log on to the network service as a service
Replace the process-Level Token IWAM_machinename
replace Process-Level Token local service
Replace Process-Level Token network service

Note: In Microsoft Windows Server 6.0 with IIS 2003 installed by default, both the Users Group and the Everyone group have the "Skip traversal check" permission. The Worker Process Identity inherits the "Skip traversal check" permission from one of the two groups. If you delete these two groups from the "Skip traversal check" permission, the workflow ID does not inherit the "Skip traversal check" permission through any other assignment, so the workflow cannot start. If you must delete the users and everyone groups from the "Skip traversal check" permission, add the iis_wpg group to allow IIS to run as expected.

Note: in IIS 6.0, If you configure basic authentication as one of the authentication options, the "logonmethod" metadatabase attribute of basic authentication will be network_cleartext. The network_cleartext logon type does not require the "Allow Local Logon" user permission. This also applies to anonymous authentication. For other information, see the "Default logon type for basic identity authentication" topic in IIS Help. You can also visit the following Microsoft Website:

Basic Authentication
Http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx)