I need to create a User account that is A) not within the IIS_WPG Group that will write to folders, and B) is used as the DefaultAppPool Identity Account. The purpose of B is because of preventing anonymous HTTP file pushes from Server 1 to Server 2.
I am successful in creating a user account that is set to the AppPool but service only works if it's associated to IIS_WPG. Is there another type of account I can create?
You can't not have a pool identity that isn't a member of IIS_WPG and be an application pool identity. The IIS_WPG group is configured with just the right amount of NTFS permissions and user privileges to allow members of the group to be application pool identities.
See: IIS and Built-in Accounts (IIS 6.0) and in particular: Configuring Application Pool Identity in IIS 6.0 (IIS 6.0)
If you wanted to set up another group or user with the same minimum permission set it would be identical to what IIS_WPG has.
One thing you shouldn't be doing is assigning the IIS_WPG group any kind of permission in your web folders. IIS_WPG is just a convenient group to allow admins to permit custom user accounts to be pool identities.
The rights you should be assigning to your IIS web folders should be the pool account itself where the pool account is also the anonymous user for the site.
Or, if you're running multiple sites inside the same pool but need different anonymous identities then you would configure additional windows accounts and set these as the anonymous user.
