Part 1 (not doing part 2 unless it is the only way)
Background:
We have a Windows 2012 Server running IIS 8.5. Behind the scenes we interface with other servers like paypal & banks etc.
Sometimes the other outfits supply the components that we have to use. Some of these components are legacy 32 bit VB6 DLLs.
Sometimes we need to test features that interface with other servers on the live server.
Currently we have set the Application Poole Identity as the machine Administrator, we don't like doing this but it allows the application to function but this is not good enough to make debugging possible.
The Problem:
I understand that normally it is not a good idea to mess with the permissions on system folders but I cannot see any other way round this issue.
After install of Windows Server 2012 the System32 and SysWow64 folders are owned by TrustedInstaler. This means that I am unable to grant read permissions for Application Pool Identities like IUSR, IIS_IUSRS, or any other users. Certainly on a development machine the IDE and debugging just will not work unless you use the MS IUSR identity. You also need to set read permissions for the App Pool identity on a heap of other folders too.
The only way I can see round this problem is to login as Administrator and take ownership of these system folders so that I can grant the Read permissions so that IIS applications can work.
If Administrator takes ownership of the system folders is there anything that can go wrong? I presume that anybody setting up a website would need to do this?
Further details:
I can run a component in the debugging environment and use CreateObject from a VBS script which works fine. From an ASP page the Server.CreateObject ASP fails with an Error 429 ActiveX component can't create object. Normally I would allocate permissions to IUSR user on the system folders and the other required folders, including the registry classes and the problems goes away.
Part 2
If, following answers to part 1, it proves essential to change System32 & SysWow64 ownership I was proposing to use the following method:
TAKEOWN.exe to change the owner then ASAP after use ICACLS.exe To grant full access to the Administrators group and TrustedInstaller.
Thanks in advance for your advice.