I have an asp.net website that is hosted in IIS 7.5
The website has to use windows authentication. The users are added to an AD group. The AD user group has full control on the web folder in which the website is published. Server/IIS_IUSRS has full control on the web folder too.
The data that the website is required to use is stored in another server. The AD group has Full control on the folder in which the data is stored.
I am using Classic mode because Integrated breaks it.
What should be the website authentication and APP Pool settings?
Personally I have become a fan of setting the app pool identity to an AD service account and then allowing the app to access the database and other resources using those credentials. No need to pass the credentials on the connection string or try to impersonate the users (EDIT: Should note that this applies to resources which use windows integrated security). Also no need to try to give the users direct access to the datastore or other resources, just the app credentials need to have access. It is a bit more trouble to set up initially but much easier to manage in the long run.
Here is the checklist I send to our server group whenever I ask them to set up a new site for me: (note this is based on Win Serv2003 and IIS 6, things may be different in the newer versions.)
application
service account
IIS_WPG group on the server
Read & Execute, and List Folder
Contents permissions for the website
directory and Read and List Folder
Contents to the C:\Windows\Temp
folder (or equivalent).
Quotas for a Process”, “Replace a
Process Level Token”, and “Log On as
Service” to the service account