ASP.NET does not run as the IIS website anonymous account,it uses the application pool identity (default:"network serivce").
So all of the websites in the same application pool will run as the "network service" account.
To let files in these websites be accessed normally,we need to add "network service" NTFS permission to all of the websites folders.
If a cracker upload a webshell on one of these websites,the webshell can edit all of these websites.It's not safe.
To solve this issue,we can set the "impersonate" property from "false" to "true".That will let each website run as the IIS anonymous account.
But now my problem is,the crackers can edit the web.config file in the website folder ,and set "impersonate" property back to "false".Settings in web.config will have a higher priority than the global settings.How can I forbid them to this thing?