1) Web application
2) "A folder" mapped to IIS via network share
3) A standalone application

I have a folder that is mapped to IIS. Note that this folder is not in website context but an external to the web application (web application is in inetput whereas the folder is somewhere else).

If I give "Everyone" full rights, then this folder is accessible.

Another standalone application should read and write to this folder and web application should read this folder.

Which users should I give what rights to that folder.
LVL 12
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
I would suggest that you create an account that you will use to run the application pool. and give this account read/write permission to this account for the folder.

I hope this help.
jazzIIIloveAuthor Commented:
So, I shouldn't be using IUSR but a separate user or?
Dan McFaddenSystems EngineerCommented:
As Emmanual mentioned, create a service account for the AppPool.  Configure the AppPool to use the account you just created, recycle the AppPool.

Do not use the IUSR account.  Creating a named account for this purpose is a better practice.

Modify the share permissions and NTFS permissions to grant the account Read-Only rights.

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

jazzIIIloveAuthor Commented:

Thanks. What about my comment:

"Another standalone application should read and write to this folder"
Dan McFaddenSystems EngineerCommented:
The standalone application should be configured in a similar way.  If it is an application that is running as a service, make sure that the service is running with a named account.  Make sure that is account has Modify permissions at the Share and NTFS levels.

If it is a console/GUI application where you need a logged user to run the app, this user account needs Modify permissions as mentioned.

jazzIIIloveAuthor Commented:

Thanks. One final question and don't hate me :)

You said: Do not use the IUSR account.  

Fine, but for nontechnical reasons, i cannot involve application pool logic. What would be the settings if i go for iusr? And any other user type? We have also a dedicated user, Foo in windows for this upload operation to the shared network folder. What would be the setting for iusr and this foo user? Or any other user?

Best regards
Dan McFaddenSystems EngineerCommented:
Here is an article that describes the IUSR object and there respective place in IIS.


Basically the IUSR account is an anonymous account created during the installation of IIS Services.  It is a local account which has been granted permissions to perform anonymous action on the network.  Essentially an IIS Guest account.  In terms of network-based share access, since the account is local to the server, it is not capable to have ACLs assigned to it to access a share off the server.

To accomplish this, you need to create a domain based account and assign those credentials to the AppPool that needs access to the network resource.

This is explained in detail in the article.

As for Application pool logic... there is no application logic in an AppPool.  The "logic" comes from the website where the code resides... an AppPool is only a container for the execution of the site's code.

As stated above, the settings for the "service account" ... FOO as you stated above, are that the account needs to be domain based and then have the necessary permissions granted to it at the file share and NTFS levels.

jazzIIIloveAuthor Commented:

I created a domain based account but i ended up with the following while setting it up in application pool. Any remedy?
jazzIIIloveAuthor Commented:
Dan McFaddenSystems EngineerCommented:
Not to be rude, but that error message states that the password that was given is wrong.  Meaning you typed in a false password.

You need to use the full domain identifier when entering the account info.  For example:



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jazzIIIloveAuthor Commented:
You were precise. Not rude at all :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.