Good day to you! And sorry for my English.
I am using IIS for some time and now I noticed two things that looks strange for me. I tested it on clean Windows and I think that this is probably normal, but I really wonder why this works like that.
The first thing is IIS authentication: I just installed IIS, got default website with IUSR Anonymous Authentication and wwwroot folder with read permissions for IIS_IUSRS group. But, when I deleted IIS_IUSRS from wwwroot folder I still have access to website (both locally and from LAN). Moreover, I still have access when I changed Anonymous Authentication method to Application Pool identity. Yes, if I check Deny option for AppPool Identity or for IIS_IUSRS group I get 403 error, but why I have access when there is no IIS users/groups in access lists? Is this secure?
Upd: figured out, that I have access to website because the Users group have access. But why users should have access?
The second thing is application security. I run PHP application under IIS Application Pool identity and I granted "IIS AppPool/*AppPool name*"write permissions to website root folder and all subfolders (this is only folders where "IIS AppPool/*AppPool name*" have rights). Website folder have permissions only for AppPool and for my user. In PHP Application configuration I have option where I can specify the some directory and Application will create it if it not exists. And when I specified directory outside the website folder, AppPool identity created it without any problems. I mean that I just get folder with file on my disk C root created by AppPool. This is normal? I know that I can restrict this using PHP variables, but how AppPool can create files where he not have rights? Or this is because I give write permissions for all website files and folders for testing? I totally confused.