Configuring Application Isolation Settings in IIS 6.0 Worker Process Isolation Mode
Applies To: Windows Server 2003, Windows Server 2003 with SP1
When the target server is configured to use worker process isolation mode, you need to configure the application isolation settings to closely approximate their configuration in IIS 5.0 isolation mode by assigning them to application pools. An application pool is a grouping of one or more Web sites or applications served by one or more worker processes. You might need to apply additional configurations so that the applications retain their original isolation settings.
After converting to worker process isolation mode, all applications run in the preexisting application pool named "DefaultAppPool." If all of the applications run in the same process in the previous version of IIS, then they all are assigned to the default application pool.
However, if any one of the applications in the same application pool fails, the other applications can be adversely affected. For this reason it is recommended that you isolate your applications into separate application pools whenever possible.
Configure Web sites and applications to run in their own application pool by completing the following steps:
For each Web site or application configured in High isolation in IIS 5.0
Create a new application pool to be used by the Web site or application.
For information about how to create application pools, see Isolate Applications in Worker Process Isolation Mode.
If the Web site or application previously ran under an identity that is still required by the Web site or application, configure the application pool to use that same identity.
For information about how to configure the identity for an application pool, see Configure Application Pool Identity.
Assign the Web site or application to the new application pool.
For information about how to assign the Web site to the new application pool, see Isolate Applications in Worker Process Isolation Mode.
For each Web site or application configured in Low or Medium isolation in IIS 5.0
In earlier versions of IIS, applications ran in-process as DLLs in Inetinfo.exe (Low isolation) and the default process identity (account that the application runs under) was LocalSystem. With worker process isolation mode in IIS 6.0, applications never run in Inetinfo.exe. However, any applications that are not explicitly assigned to an application pool are assigned to the default application pool, which runs under the NetworkService process identity by default. Because LocalSystem has the same permissions and user rights as a member of the Administrators group, run Web sites and applications under the security context of the NetworkService account.
For each Web site or application that ran in Low or Medium isolation in IIS 5.0, do one of the following:
When the Web site or application is able to function under the identity of the NetworkService account in the default application pool, continue to host the Web sites or applications in the default application pool, named "DefaultAppPool."
When the Web site or application is unable to function under the identity of the NetworkService account in the default application pool, perform the following steps:
Create a new application pool.
Create a service account to be used as the identity for the application pool.
For more information about how to create a service account to be used as an identity for an application pool, see Create a Service Account.
Configure the application pool identity to use the service account.
For more information about how to configure the identity for an application pool, see Configure Application Pool Identity.
Place the Web site or application in the new application pool.