Another important thing to mention is Application Security.
In previous versions of IIS, worker processes ran as LocalSystem, a powerful account that has system administrator privileges on the server. Because LocalSystem has access to almost all resources on the operating system, this caused security implications. In IIS 6.0 (Application pool introduced), one can set the identity of the worker process at the application pool level. The identity of an application pool is the account under which the application pool's worker process runs. By default, application pools operate under the NetworkService account, which has low-level user access rights.
By running the worker process using a very low-privileged account such as NetworkService, one can reduce the security vulnerability. However, by using IIS manager, it is possible to configure the application pool to run as any of the following pre-defined accounts:
NetworkService
LocalSystem
LocalService
