Under the topic of Anonymous Authentication, the IIS Help file states, "The anonymous account must have the user right to log on locally. If the account doesn't have the Log On Locally permission, IIS will not be able to service any anonymous requests." However, when I tested the anonymous logon, it seemed to be a network logon, not a local logon. Does the IUSR account require the Log On Locally right, as the documentation states?
In this case, the documentation is wrong. Strangely, it has been wrong for a long time. The IUSR account doesn't require the Log On Locally right. You can prove this point by enabling the Success for Audit Account Logon Events option, then checking the Security log in Event Viewer. As Figure 2 shows, you'll see the IUSR account logon event. Notice that the Logon Type field has a value of 3. This value corresponds to a network logon. A local logon (also called an interactive logon) is Logon Type 2. (For a description of the Logon Types, see the Microsoft article "Distinguishing Windows NT Audit Event Records," http://support.microsoft.com/default.aspx?scid=kb;en-us;q140714.)
The IUSR account has long been associated with the Log On Locally user right, so when I first discovered this error, I couldn't believe it. However, in Windows 2000, you can deny rights as well as assign them, so I conducted an experiment to deny the Log On Locally right to the anonymous account. This denial had no effect whatsoever on anonymous access to the test Web site.