11/12/2009 -- Microsoft has made several changes to the IIS account in IIS 7 on Windows Server 2008. In IIS 6, there was an IUSR_MachineName account and an IIS_WPG group on Windows Server 2003. These were local to the computer where IIS was installed. Microsoft used IUSR_MachineName account in the metabase.xml file so if you copied the metabase from one computer to another in IIS 6, it didn't work because the Security Identifier (SID) was a local SID attached to that machine. For this reason, you couldn't copy Access Control Lists (ACLs) using "xcopy /o" from one computer to another.

The IUSR_WPG group, which was used for application pool identities in IIS 6, had similar issues with the permissions. As a workaround, most administrators used an Active Directory domain account but businesses who had not deployed Active Directory did not want to add Active Directory just for this reason alone.

In IIS 7, Microsoft decided to use a different method. Now the IUSR_MachineName and IUSR_WPG group have been replaced by IUSR account and IIS_IUSRS group respectively. The new IUSR account and IIS_IUSRS group in IIS 7 are no longer tied to a specific machine in Windows Server 2008. In IIS 6, the IUSR_MachineName account was used for anonymous authentication both by HTTP and FTP service. In IIS 7, the IUSR account is used for anonymous authentication by HTTP and, unlike IIS 6, no longer requires a password.

However, don't get confused if you still happen to see an IUSR_MachineName account. This account will only appear when you install FTP server. Without the FTP server, you will not see this account.

The good news is that in Windows Server 2008 you can use "xcopy /o" to copy ACLs from one computer to another and you no longer need to worry about password expiration for the IUSR account.

If you look at the Authentication option in IIS 7, you'll notice that when Anonymous Authentication is enabled, by default it uses the IUSR account. You can verify this by going to the Web site and double-clicking Authentication in the IIS section in the Features view. For application pool identity, the NetworkService account is used by default. You can verify this by going to the Application Pools and in the Features view look under the Identity column for the identity that is used by the application pool. For example, both the DefaultAppPool and the OfficeServerApplicationPool use NetworkService as the identity in IIS 7.