I have configured IIS8 to use separate ACL accounts for each website/applicationpool, moving the websites to their own folders in a different location ("c:\websites\siteA", "c:\websites\siteB" etc.)
I have also removed the "User" group premissions from this new websites folder so that users cannot access other users web folders.
This all appears to meet the best practices documentation I have see however...
All of the new IIS users I have created are still members of the "Users" group and therefore have read, execute, list permissions for most of the C:\ including windows and program files.
What is the usual way of dealing with this and locking people into their allocated website folders?