At times users access a resource as though they were

someone else. This is known as impersonation. For example,

if a web page has no access controls, then any user can

access that web page. HTML pages, ASP pages, and components

in version 3.0 and earlier can be accessed through two

accounts named IUSR_machinename and IWAM_machinename. Both

the accounts are set up during IIS installation, and are

automatically added to all the folders in every web site on

the server.

Anonymous access to a resource in IIS makes the task of

identifying a user extremely difficult. But there is no

need to authenticate a user in the case of IIS. When IIS

receives a request for a web page or other resource that

has permission for anonymous access, IIS treats the

IUSR_machinename account as the user's account, to access

the resources. If the resource requested by the user is an

ASP page that uses a COM or COM+ component, that component

is executed using the IWAM_machinename account.