in Web.config. However, I gather that
this is only if you want users to log
in with Windows Authentication. It has
nothing to do with the server logging
in to SQL Server

This is partially true. The impersonated account will be used to logon SQL server if delegation is setup properly. You didn’t see this because in most of the environment, delegation needs to be explicitly setup. Delegation is a more powerful form of impersonation and makes it possible for the server process (in your case, IIS process) to access remote resources (in your case, SQL server) while acting as the client. For more information, you can google ASP.NET Delegation. I said it’s partially true because in some simple environment, you don’t even need any special configuration. The delegation is just working. For example, if you have SQL server running on the same machine as the IIS server. Another case is that you have your IIS server running on an Active Directory domain controller (very rare). In these two cases or on a machine with delegation configured properly, your above statements will be wrong.

It seems that if I:

• set the App Pool Identity to the
  domain account
• enable Anonymous
  Access on the site using the domain
  account
• use a connect string with
  Windows Authentication

then the site
will connect to SQL Server via Windows
Authentication. Also, it will use the
domain account as long as
impersonation is off. Is this correct?

Yes, this is correct.

Given that my Windows account has
access to files on the server and the
database which the site is connecting
to, this seems hard to test….

It’s easy to test if you have two domain accounts (or one domain account and one local account). Set the App Pool identity to use your DomainAccount1. Grant only DomainAccount1 to have permission to access your database. Access your web app on another machine using another accound (either domain account or local account). Test if the web app can properly access your database.