Anonymous Access
Applies To: Windows Server 2003, Windows Server 2003 with SP1
Anonymous access, the most common Web site access control method, allows anyone to visit the public areas of your Web sites. In IIS 6.0, anonymous users are assigned to the IUSR_ComputerName account, which is created when IIS is installed. This account is a valid Windows account and is a member of the Guests group. For example, if your computer name is SalesDept1, the anonymous account name is IUSR_SalesDept1. Each Web site on your server can use either the same or different anonymous user logon accounts. The IUSR_ComputerName account can be defined on a computer or on a domain.
In IIS 6.0, the IUSR_ComputerName account is denied Write access to Web content by default. In addition, this account is explicitly denied access to all executables (such as cmd.exe) in the %windir%\System32 folder. For security reasons, to run most executables in this folder, you must be a member of the Administrators group or of the LocalSystem, Interactive, or Service account. Therefore, an anonymous user cannot run these executables (for example, Common Gateway Interface (CGI) code that calls external programs such as PHP).
When the Web sites and applications running on your Web server require anonymous access, you must configure a user account specifically for anonymous access. This user account can be stored in the local account database on the Web server or in a domain.
Important
If you are upgrading to IIS6.0, be aware that the upgrade process automatically configures IIS to use the default anonymous user account IUSR_ComputerName, where ComputerName is the local computer. If you have a domain-based anonymous user account, you must configure the anonymous user identity to use this same domain-based account after the upgrade.