We have several IIS7.5 web servers each hosting many websites. All sites on these servers run under the application pool identity.
It is my understanding that in IIS7.5 app pool identities are not acutually added to the IIS-IUSRS group explicitly. Instead implicit membership to the group is assumed and when a worker process starts the SID of IIS_IUSRS is injected into the token.
I have also read documentation that suggests that the application pool identity is added to the IIS_IUSRS group when the worker process starts so I'm a little confused as to which version is correct.
The question I have is why some of the app pool identities appear as members of IIS_IUSRS and others do not. I have used appcmd to get a verbose listing of configuration and can see no difference in app pool configuration. Both sites I am using for comparison are unsing .NET4 and Integrated managed pipeline mode. Manualgroupmembership is configured as false for all application pools.
Very grateful if someone could shed some light on this.
Thanks!