By default, IIS (inetinfo.exe) is configured to run in the System account context, but you can use the Services console to change the identity of various services so that they run in a user account rather than the System account. In the event of a buffer-overflow attack on IIS, Inetinfo running under a user account rather than System would be quite helpful. How can I make that happen?

You're correct that Inetinfo runs in the System account and that the UI lets you specify a user account for services. However, Microsoft specifically doesn't support changing Inetinfo to run under any account other than the System account. Administrators who have tried have reported difficulties with system stability. My advice is to leave Inetinfo running under the System account.

Instead of changing the account, be sure your applications run under Medium (Pooled) or High (Isolated) application protection. Applications set for Medium or High protection run in an instance of dllhost.exe in the context of the IWAM_servername user, not the System account. Medium protection level is the default for IIS 5.0 applications and is much more secure than Low (IIS Process) protection mode. In IIS 6.0, you have the option of designating the user account in which to run the Worker Processes that host Web applications.