I used the Web Platform installer to setup Wordpress/PhP/MySQL on my 2008R2 box and then deployed a simple corporate info web site using WordPress. The web site seems to be working fine but I always like to poke around under the hood a bit to get familiar with what's going on.
The site is using Anonymous Authentication and the DefaultAppPool. From what I understand, this means that IUSR account is being used to run the site and that this account should have access to the WordPress files. This is confirmed by turning on object access auditing in local security policy and setting folder auditting settings. I can see in the event viewer where IUSR account is reading the files in the WordPress folders.
The problem is that I don't see where IUSR has been given access to these folders. The folder permissions are the default permissions for inetpub folder which currently show as: System, Administrators, Creator/Owner and Users. IUSR is not a member of Users and certainly not a member of Admins. When I test by using the "effective permissions" button on the security settings it shows that IUSR does not have any access to this folder which is consistent with the permissions I see.
So how is it that IUSR is still reading these files and folders and the web site is working?
Thanks,
Diego