What is the purpose of the IWAM account?

I dont' really understand what this account is used for.  I know I have to have the IUSR account for anonymous access from a web browser but not sure when to grant NTFS permission to the IWAM account.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IUSR is the account that IIS uses for anonymous access.  You need to grant
NTFS permissions to this account on any content you want to server

IWAM is used by the ASP process (dllhost.exe) to run applications set in
either medium (pooled) or high protection.  You shouldn't need to do
anything special with this account

got the same form another forum :-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
in the following case also the IWAM_machinename account is used

if  the Web site or Virtual Directory / Application is configured for Anonymous Access, but runs out of process (The Application Protection is set to High in the Home Directory or Virtual Directory tab of your Web application)

a182612Author Commented:
What kind of applications?  I do use asp forms on my web site to send data to a sql database.  Would this require the IWAM account on the NTFS permissions?
The IWAM account is the Internet Web Application manager account.

It is used as the process ID for DLLHost in IIS 5 and 5.1 and can be used in 6.0 but is not the default.

In essence, every process has to have a process level ID in order to run.  If you do not use any other authentication and end up using the process level token to try and gain access to a resource you will end up using IWAM in an out of process site or application, or Local System when running in process.

When a user accesses IIS we will generally impersonate that user and use the thread level token to gain access to resources rather than the process level token.  COM objects will generally use the process level token unless specifically told to use a thread level token.

An important thing to remember is that Anonymous *is* an authentication emthod and we will end up impersonating the IUSR account when a user accesses the site cvia Anonymous authentication.

Bottom line, it is an account that is used to enable DLLHost to start and give default access to resources if no other authentication is performed.

Dave Dietz
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.