I feel like this question must have been answered before but my search capabilities have been exhausted.
Using IIS 7.5 with only windows authentication enabled.
Impersonation is disabled.
The application is configured with an app-pool identity specified (domain user).
As I understand the vast majority of the documentation from MSDN, the identity of the user checked in file system ACLs should be the app pool identity.
http://msdn.microsoft.com/en-us/library/kwzs111e(v=vs.100).aspx
http://msdn.microsoft.com/en-us/library/3yfs7yc7(v=vs.100).aspx
http://msdn.microsoft.com/en-us/library/gg703322%28v=vs.98%29.aspx
However, what we have been experiencing is that end-users (the user who is authenticated and accessing the site through the browser) needs to have access to the folders that the application is hosted in. What am I missing? I understand that there are a number of identities in play but that the windows identity used in securing resources should not be the end-user unless we are using impersonation.
Yet there are a few scattered resources that suggest the file authorization module in .Net will ignore this. Is this configurable?
http://msdn.microsoft.com/en-us/library/system.web.security.fileauthorizationmodule(v=vs.100).aspx
I can't figure out why my observations don't match what seems to be the standard behavior without impersonation. I confirmed that the system.security.principal.windowsIdentity current windowsIdentity is in-fact the app pool identity configured for the application and yet file checks appear to be based on the identity returned by HTTPContext.Current.User.Identity.