When managing permissions for an ASP.NET application, make sure to set the permissions for the user that the application will be running under. This account is different depending on what version of IIS is running (which you can likely extend to the operating system in use).
To find the user that the application runs under, insert the following code into a page of your application:
The user that Windows XP uses (in my tests) is: ASPNET
The user that Windows Server 2003 uses (also in my tests) is: NETWORK SERVICE
Another factor to consider is that the above accounts were found with the application running with “IMPERSONATE IDENTITY” = False. If it were set to true, the account would either be IUSER_MACHINENAME or the domain user if IIS has authenticated them.
Keep these issues in mind if you need to allow the end users elevated permissions (such as uploading files). You will have to give permissions to different accounts depending on what version of IIS you are using.