IIS_IUSRS group and Users group for IIS---- WCF Service usage

Does IIS_IUSRS  group implicitly belong to the USERS group on windows 7 ?

Why I ask is--- if I assign either IIS_USRS or Users to a folder that contains my WCF Service, the service runs fine. If I remove both of them having access to my WCF Service folder, I receive the following:

Exception: System.IO.FileLoadException

Message: Could not load file or assembly 'System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Access is denied.

My folder that contains the WCF Service is not under c:\inetpub\wwwroot but under a folder I created through Visual Studio.

Special note: The IIS 7.5 runs under  IIS_USRS user group member  IIS APPPOOL\DefaultAppPool. Also the System.Web folder gives access to the Users group but not the IIS_IUSRS  group.
Lawrence AverySystem DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:

AFAIK IIS_IUSRS is a buildin group like users but members of IIS_IUSRS have more rights than standard users do.
This built-in group has access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity.

Why would you even consider removing IIS_IUSRS rights set by IIS?
Lawrence AverySystem DeveloperAuthor Commented:
I just happen to notice when I had the USERS group access only for my application folder, my application still worked. And then my curiosity set in knowing my application was running under a IIS_USRS group member and my folder did not have IIS_USRS group assigned.

So bottom line, when I removed both IIS_USRS and USERS , my application would fail.
However, having either group  my application would work.

So that made me think IIS_USRS must be somehow associated with the USERS group.  
It almost seems like IIS_USRS is also part of the USERS group.
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi Metro,

Since i had to log into my webserver rack i remembered your question.
I found "users" and "IIS_IUSRS" are both member of "NT\authenticated users" so this would explain your findings.

Still! remember this can mean "IIS_IUSRS" has more rights then "USERS".


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lawrence AverySystem DeveloperAuthor Commented:
Excellent. Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.