>The issue is that if you give write/modify access to IUSR, then anyone accessing the effectively has those same permissions. If they can compromise your site (eg. upload a file and get it executed), it will happen under that account. There are ways of temporarily impersonating other users, putting special permissions on some folders that only admins have access to (via NT authentication), etc. that can help reduce the changes things can be compromised.

Thanks,

I ran into a situation where I had to give the read/write permissions to IUSR in order to get parts of DNN to run. I solved it by changing hosts.

WOW Lot of reading there. Being somewhat of a noob to this aspect of security a lot of it is somewhat over my head still.

>>If they can compromise your site (eg. upload a file and get it executed)

OK so the security concern is to prevent the amount of damage that can be done after the system has already been compromised. There isn't just some easy way for IUSR to upload or modify a file just because it has write/modify privileges.

One fundamental thing I guess I don't get. Once they manage to get an executable uploaded. Wouldn't it execute under the ASPNET/NETWORK account?

Thanks again.