Why a new windows user profile is created when I create an Application Pool in IIS

Question

I was recently cleaning up my file system and observed that there were few users, which I never created directly, in the c:\users* directory. This is supposed to have all those users which was created/logged in on local machines. I observed that these usernames are same as the name of Application Pools I have created in the IIS.

To confirm I created a new Application Pool in IIS and then observed this directory. Still it was not there. Later I created a new web site, assigned this application pool and accessed that website from browser, and then I see a new user profile with the name of the new application pool.

Question is - Why does it create a user profile for every IIS Application Pool? Is it absolutely necessary to have, and can it be configured for not creating? Will there be any downside? I do not remember to have seen this in earlier IIS i.e. 6.0.

My environment - Windows 7 64 Bit, IIS 7.5

I tried to google, but most links tell me how to configure User/Identity with app pool and stuff, but nothing specific about these questions.

Answer 1

This behaviour is because of the new security model starting with IIS 7.

Application Pool Identities started with IIS 7

Application Pool Identities allow you to run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

- Application Pool Identities (2009)

The main reason is security, each application pool is isolated from each other.

LoadUserProfile=true Creates the User Profile Folder

From experimenting on my machine I believe this setting is responsible for the folders being created.

Having LoadUserProfile set to true means that IIS will load the user profile for the application pool identity. This happens when the application is actually spun up, you can test this by creating a new app pool and if the setting is false, no new folders should be created under C:\Users when you hit the web site for the first time.

- IIS Documentation

According to the documentation LoadUserProfile should be false by default, although I have noticed that on Win 7 machines it might be set to true instead. You can change this default via the IIS gui: