<processModel>: Impersonation...?

[TM]

In the "Implementing Impersonation in an ASP.NET Application at the
following URL: [url]http://support.microsoft.com/?kbid=306158[/url],
MS suggested to "Change the account that the Aspnet_wp.exe process runs
under to the System account in the <processModel> configuration section of
the Machine.config file.".

1. As I understand, this will affect the entire machine ? If I use this
suggestion, how do I configure other sites within the same IIS box to run
the default ASPNET account ?

2. At present, I leave the Machine.Config as it is ("machine") so that other
sites within the same IIS box runs as a default (Using ASPNet). I then use
"Web.Config" per site to impersonate a specific Windows Account for each
site. Is this better solution in term of security ?

Thanks for your input,

Thomas

[David Coe, MCP]

As far as managing user and accessing resources, it is not the best idea to run ASP.NET as the system account. This means that anytime the worker process tries to access resources on the machine, it does so as the highliy priveledged SYSTEM account. There are a few ways around this, the best way is to try to change the account to ASPNET. Yes, this changes all of the sites on the box. At the same time, if impersonation is enabled in each application, ASP.NET will pass the user credentials down to the file system.

If you have problems running ASPNET_WP as the ASPNET account (such as I did), you may want to check out [url]http://www.codeproject.com/aspnet/Sec_Run_ASPNET_WP.asp[/url], which is a nicer alternative than what you are currently trying to accomplish.