Configuring Isolation Modes

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

You can run IIS 6.0 in one of two modes: worker process isolation mode or IIS 5.0 isolation mode. Worker process isolation mode is the default mode, that is, the mode that the server runs in on a clean installation. You can use IIS 5.0 isolation mode to run applications developed for older versions of IIS that are determined to be incompatible with worker process isolation mode.

This topic includes the following information:

  • Configuring IIS for worker process isolation mode.

  • Configuring IIS for IIS 5.0 isolation mode.

Configuring IIS for Worker Process Isolation Mode

Worker process isolation mode is the default service mode in IIS. Worker process isolation mode delivers all the benefits of IIS 6.0 new architecture: robust application pooling; automated restarts, scalability, debugging; and finely-tuned performance tuning. Web applications run with the Network Service identity, which provides a security advantage: the Network Service account has lower access privileges than LocalSystem. Use worker process isolation mode unless you must run applications that might conflict with it, as stated below in "Configuring IIS for IIS 5.0 Isolation Mode."

To complete the following procedure, you must restart IIS, which will temporarily interrupt the World Wide Web Publishing Service (WWW service).

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

To configure IIS for worker process isolation mode

  1. In IIS Manager, expand the local computer, right-click Web Sites, and then click Properties.

  2. Click the Service tab, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.

  3. To start the WWW service, click Yes.

If the switch to worker process isolation mode is successful, a folder named Application Pools appears in the IISManager listing for your local computer. You can always determine which isolation mode IIS is running by the presence (worker process isolation mode) or absence (IIS 5.0 isolation mode) of the Application Pools folder.

Configuring IIS for IIS 5.0 Isolation Mode

You must use IIS 5.0 isolation mode for applications that conflict with worker process isolation mode until the applications are modified.

The following application characteristics conflict with worker process isolation mode:

  • Dependency on Inetinfo.exe: If the application must run in the Inetinfo.exe process, it must be run in IIS 5.0 isolation mode because applications do not run in Inetinfo.exe in worker process isolation mode.

  • Requires Read Raw Data Filters: Read Raw Data Filters are available in IIS 5.0 isolation mode only.

  • Requires Dllhost.exe: Applications that must be run in a Dllhost.exe environment can be run only in IIS 5.0 isolation mode because Dllhost.exe is not available in worker process isolation mode.

If the IIS 6.0 service is running in worker process isolation mode (the IIS 6.0 default mode), and you must run applications that do not meet the requirements for worker process isolation mode, switch to IIS 5.0 isolation mode. This means you will not be able to take advantage of worker process isolation and the other features of worker process isolation mode.

After you complete the following procedure, you must restart the WWW service, which will temporarily interrupt the service.

To configure IIS for IIS 5.0 isolation mode

  1. In IIS Manager, expand the local computer, right-click Web Sites, and then click Properties.

  2. Click the Service tab, select the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.

  3. To start the WWW service, click Yes.

Configuring IIS for an application mode using Adsutil.vbs

You can also configure IIS for an application isolation mode by setting the metabase property IIs5IsolationModeEnabled to true or false. Use the following procedure to configure this metabase property from a command line.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any known parameters).

To configure IIS for an application isolation mode by using Adsutil.vbs

  1. In the Run dialog box, type cmd, and then click OK.

  2. To set the application isolation mode, type one of the following commands at the command prompt:

    • To configure the server to run in worker process isolation mode, type:

      cscript %SystemDrive%\Inetpub\AdminScripts\adsutil.vbs set W3SVC/IIs5IsolationModeEnabled FALSE

    • To configure the server to run in IIS 5.0 isolation mode, type:

      cscript %SystemDrive%\Inetpub\AdminScripts\adsutil.vbs set W3SVC/IIs5IsolationModeEnabled TRUE

    Note

    If you configured the server to run in IIS 5.0 isolation mode, you will need to set the level of application protection, or isolation, for each application running on the server. For instructions, see Isolating Applications in IIS 6.0.

  3. To restart IIS, at the command prompt, type:

    iisreset /noforce

    For more information about restarting IIS from the command line, see Restarting IIS.

To verify that you successfully changed to worker process isolation mode, check whether an Application Pools folder appears when you open IIS Manager on your local computer. You can always determine which isolation mode that IIS is running by the presence (in worker process isolation mode) or absence (in IIS 5.0 isolation mode) of the Application Pools folder.

Important

Do not confuse the DefaultAppPool application pool, which appears by default when you configure a computer to run in worker process isolation mode, with the MSSharePointAppPool application pool, which appears by default when you install FrontPage2002 Server Extensions or SharePointâ„¢ Team Services from Microsoft.

Note

Do not use, delete, or make changes to the MSSharePointAppPool application pool. It holds files that are used internally by FrontPage Server Extensions and SharePoint Team Services. For more information, see Using FrontPage 2002 Server Extensions with IIS 6.0.