I am using Windows 2012 and have configured my IIS application pool to use my own 'XXXWeb' account. My website is using the correct application pool (the W3WP process is also running as 'XXXWeb'). I configured the 'XXXWeb' user that it doesn't have write permissions in the web directory.
To my surprise, I saw that the user could write a logfile in a directory where the 'XXXWeb' user doesn't have any rights. I checked using Process Monitor and I saw that the 'WriteFile' operation was executed with 'XXXWeb' privilege and it succeeded. When I try to write the exact same file when I logged on as 'XXXWeb' it fails.
Does anyone know what could be wrong? I don't want the AppPool to have write rights to prevent security issues, when my IIS is getting hacked for some reason.
