One of the better features that came in IIS 7 was the automatic creation of separate application pools for each web site; this had to be done manually for each website in IIS 6. Furthermore, in IIS 7.5, the default application pool identity changed from NetworkService to AppPoolIdentity. Both of these changes were designed to improve process isolation by using separate user accounts for each application pool. It also meant that we do not have to manually create custom Windows user accounts for our application pools anymore.
All well and good. So how do we set folder permissions (ACLs) for these applications pools? This is done by setting folder permissions for the "IIS AppPool\[application pool name]" user, where [application pool name] is the name of the application pool in IIS.
When in the Select Users or Groups dialog, ensure that machine name (Cabbage in my case) is selected for Locations and Built-in security principals is selected selected for Object Types, in order to find the application pool identity user.
