Windows authentication & Application pool identity

Dear All,

I'm a little bit confused to understand the application pool identity configurations for Windows authentication. I have below two scenarios. In both scenarios, we have file uploading features in the web applications.

Scenario 1:

• IIS web application server OS: Windows Server 2012 R2
• Server name: IISCluster1A.contoso.com
• Application URL: http://192.168.1.1/WebApp1
• Application physical path: C:\inetpub\wwwroot\WebApp1 on the IIS 
• Application pool name: AppPool1
• Application pool identity: ApplicationPoolIdentity (IIS default)
• Authentication: Windows authentication
• File uploading feature 1 - Temporary file uploading path: C:\inetpub\wwwroot\WebApp1\TemporaryUploadedFiles (local folder)
• File uploading feature 2 - Attachment uploading path: \\FileServerCluster\WebApp1\UploadedAttachments (shared folder)
• Testing user who is going to access WebApp1 and upload files from IE: CONTOSO\User1

My questions of scenario 1 are in the below.

• File uploading feature 1 - In the security settings (ACL) of the local folderC:\inetpub\wwwroot\WebApp1\TemporaryUploadedFiles, I should grant Write/Modify access toCONTOSO\User1 or IIS AppPool\AppPool1?
• File uploading feature 1 - In the security settings (ACL) of the shared folder \\FileServerCluster\WebApp1\UploadedAttachments, I should grant Write/Modify access toCONTOSO\User1 or CONTOSO\IISCluster1A$?

Scenario 2:

• IIS web application server OS: Windows Server 2012 R2
• Server name: IISCluster2A.contoso.com
• Application URL: http://192.168.2.1/WebApp2
• Application physical path: C:\inetpub\wwwroot\WebApp2 on the IIS 
• Application pool name: AppPool2
• Application pool identity: CONTOSO\IISServiceAccount2
• Authentication: Windows authentication
• File uploading feature 1 - Temporary file uploading path: C:\inetpub\wwwroot\WebApp2\TemporaryUploadedFiles (local folder)
• File uploading feature 2 - Attachment uploading path: \\FileServerCluster\WebApp2\UploadedAttachments (shared folder)
• Testing user who is going to access WebApp2 and upload files from IE: CONTOSO\User2

My questions of scenario 2 are in the below.

• File uploading feature 1 - In the security settings (ACL) of the local folderC:\inetpub\wwwroot\WebApp2\TemporaryUploadedFiles, I should grant Write/Modify access toCONTOSO\User2 or CONTOSO\IISServiceAccount2?
• File uploading feature 1 - In the security settings (ACL) of the shared folder \\FileServerCluster\WebApp2\UploadedAttachments, I should grant Write/Modify access toCONTOSO\User1 or CONTOSO\IISServiceAccount2?

Thanks,
高麻雀