I asked a question here: new installation of windows 2008 R2 ... having permissions issues (everyone has access) last night about not being able to limit permissions to my web folders. It turns out that it was because when I created a wwwroot folder on my d:\ drive (not the default c:\inetpub\wwwroot) it added my %machinename%\users group with "special" permissions (as well as read/execute). I could never tell what the "special" permissions were (as far as reading, writing etc). I therefore removed all access to my d:\inetpub\wwwroot for %machinename%\users and was able to limit access to IUSR and IIS_IUSRS the way I wanted.
I don't know enough about application pool identities etc to know if this may cause an issue down the road. IE, I don't know if the application pool identity relies on the %machinename%\users group to do certain things. Will removing permissions for that group force impersonation, will it cause other problems?
