Accounts Used by IIS

Because everything in WS03 has to run within a security context, and an account is required for access, IIS installs two accounts and one group to your account database for its use. These allow IIS to run code and worker processes and allows people to access your site. These accounts and group are discussed next.

IUSR_COMPUTERNAME

This user account grants anonymous access to a web site when a user connects to a web page without any security information of his or her own. This user is not a member of any group other than Guests, by default.

IWAM_COMPUTERNAME

This user account is used to launch worker processes. It is a member of the IIS_WPG group.

IIS_WPG

The members of this group can run worker processes. Any user account that runs worker processes needs to be a member of this group. This is a low security account that has the rights of Network Service. Processes using the Network Service level of rights can access the server as though they were running from outside the server, so they don’t have direct access to the operating system.

You can view these in the Computer Management MMC, in the Administrative Tools group. Here’s how to open Users and Groups:

1. At the Start menu, click Administrative Tools and then Computer Management.

2. In the Computer Management MMC, users and groups are listed separately under Local Users and Groups.

3. However, if this computer is a domain controller, users and groups are located in the Active Directory Users And Computers under Administrative Tools.