Configuring Application Pool Identity with IIS 6.0 (IIS 6.0)
This feature of IIS 6.0 is available only when IIS is running in worker process isolation mode.
The identity of an application pool is the name of the account under which the application pool's worker process runs. By default, application pools operate under the Network Service account, which has low-level user access rights. That is, this account provides better security against attackers or malicious users who might attempt to take over the computer on which the World Wide Web Publishing Service (WWW service) is running. The LocalService account has low access rights as well, and is useful for situations that do not require access to resources on remote computers. You can configure application pools to run as LocalSystem, which is an account with more user rights than the Network Service or LocalService account. However, be mindful that running an application pool under an account with increased user rights presents a high security risk.
For example, suppose that an Internet Service Provider (ISP) wants to allow customers to upload Common Gateway Interface (CGI) applications and then add them to an application pool. Running CGI-enabled applications in a separate application pool under the Network Service account, with its lower user rights, reduces the risk that these applications will be used to attack the server.
For more information about application pool identities, see Configuring Application Pool Identity in IIS 6.0.
Important You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
To change the account under which an application pool runs using IIS Manager
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exeScriptName (include the script's full path and any known parameters).
To change the account under which an application pool runs using the Adsutil.vbs administration script
To programmatically change the account under which an application pool runs