Ok, I fully realize this runs into the far reaches of obscurity, but I felt like sharing. I was just uploading an admin tool for one of our clients that host their own site. Part of the tool configuration was allowing write access to folder a for file uploads. Now, usually this just follows the simple adage of allowing {MACHINENAME}\ASPNET user for IIS5 or the {MACHINENAME}\Network Service user for IIS6. Therefore, this being an IIS5 server running on Windows 2000, I went looking for the {MACHINENAME}\ASPNET user only to find that didn't exist. I did a quick check to make sure impersonation wasn't configured and struck out there as well. Turns out that web server is also configured as a domain controller and on domain controllers there's no such thing as a "local" user - all users are domain users. I did some digging and came across this MSDN article on the processModel element of the machine.config file. Toward the bottom, there's a section on "Domain Controllers and the Local ASPNET Account" which indicates that on domain controllers running IIS 5, the process identity is run under the IWAM_machinename account. Setting the permissions based on that account and running iisreset has us rolling in on time!