The following content was copied from this reference:
http://stackoverflow.com/questions/7334216/iis7-permissions-overview-applicationpoolidentity
ApplicationPoolIdentity is actually the best practice to use in IIS7. It is a dynamically created, unprivelaged account. To add file system security for a particular application pool see IIS.net's "Application Pool Identities". The quick version:
If you application pool is named "DefaultAppPool" (just replace this text below if it is named differently)
Open Windows Explorer
Select a file or directory.
Right click the file and select "Properties"
Select the "Security" tab
Click the "Edit" and then "Add" button
Click the "Locations" button and make sure you select the local machine. (Not the Windows domain if the server belongs to one.)
Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box. (Don't forget to change "DefaultAppPool" here to whatever you named your application pool.)
Click the "Check Names" button and click "OK".
