Microsoft's Internet Information Server (IIS) uses a local computer account, IUSR_servername to provide access to the filesystem and other resources for anonymous web users.  We've had some problems getting the permissions correct for this acount.

I'd like to propose the following scheme, based on the recommendations from Microsoft's IIS 6.0 Security Best Practices

• Let's create a local group named "ANONYMOUS_USERS" on each IIS server, and add the IUSR_servername and any other "anonymous" accounts in use to this group.  Note that IUSR_servername would not be in the "Users" local group.
• Using group policy, we can allow ANONYMOUS_USERS the "access this computer over the network" privilege, which is safer than EVERYONE
• Also using GPOs, we can deny execute permissions for anonymous users to all executables in Windows directories and subdirectories.

Thoughts?