[thelist] IUSR_machinename - is it part of 'everyone' group?

Mike King mike.king at redroom.co.uk
Mon Jun 25 10:03:36 CDT 2001 

This may answer your question?
<http://www.google.com/search?sourceid=navclient&q=IUSR%5F+account+part+everyone+group>

---------------- 
http://support.microsoft.com/support/kb/articles/Q158/2/29.asp 
-----------------
<snip>
By default, when IIS is installed, it creates a user account called 
IUSR_<servername>, where <servername> is the name of the server on which 
IIS is running. This user account is added to the "Guests" group on the 
machine, which implies that its access to resources is limited. When an 
HTTP request is received by IIS with Anonymous authentication being used, 
IIS will impersonate the IUSR_<servername> account in order to execute any 
code or access any files that are involved in the request. This allows a 
level of security by limiting the accessibility to such things as system 
files by an unauthenticated user. IIS is able to impersonate the 
IUSR_<servername> account because the username and password credentials for 
this account are known by IIS.

You can change the account that is used for anonymous authentication in 
Internet Service Manager. You can also change the security privileges for 
the IUSR_<servername> account in Windows NT User Manager. Be aware that any 
changes will result in changes to every anonymous HTTP request that is 
serviced by IIS. Also note that if the anonymous account configured in 
Internet Manager does not have the "Log On Locally" right (not a right 
given to "Guest" accounts by default on domain controllers), then IIS will 
not be able to service any anonymous requests. The IIS installation 
specifically gives you the "Log On Locally" right to the IUSR_<servername> 
account.

Most resources, such as the IUSR_<servername> account, that allow Guests to 
access them, do so by allowing access to the special group "Everyone." You 
can set permissions on files and other resources specifically to allow or 
disallow the IUSR_<servername> account to access them, but most people end 
up managing access by controlling access to the groups "Everyone" or "Guests."
</snip>
------------------

>Interesting idea, which we may decide to implement, but it doesn't answer
>the question: is the IUSR_machinename account part of the NTFS group
>'Everyone' ? I think not, but can't find any hard evidence.

More information about the thelist mailing list