I'm running a machine with Windows Web Server 2008 R2 and I want to restrict various users' access to specific aspects of the machine. For example, ideally I'd like to create a few local users that can only manage specific websites in IIS. If that's not possible, I'd like to restrict them to IIS only (so they can't modify any other aspects of the machine's configuration and can't install any software). What's the best way to go about doing this?
Is there also a way to log changes made to IIS by users (even if it's just saying "User xyz made a change to website abc")?