We have this policy defined at the organization level for windows 2012 and now the local application administrators are unable to add IIS local groups as there is no option to modify it.
https://blogs.msdn.microsoft.com/chaun/2012/01/20/two-iis_iusrs-related-problems-caused-by-group-policy-overrides/
would like to have someone shed some light on the best practices . How are you implementing this policy in your environment
sumesh