I followed these two questions:
IIS AppPoolIdentity and file system write access permissions
To try to understand how it is possible to isolate IIS ApplicationPoolIdentity
users although they are members of the Users
group that has read access practically everywhere.
I think that should be more secure that the App Pool\myapp
could only read the contents of the site (or read/write its virtual directory), but what is the best practice to do that without removing the Users
group ACL from everywhere?? my Windows server defaults has the "users" group on the volumes acl with read access and inherits to all folders...
This question is also answered in the answer you linked to, by Kev. You should preferably set up your web root on a separate non-system drive. There you can remove the
Users
group from the top level and grant rights to the home folder of each site to the respective application pool identities only.