Windows Server 2008 provides us with a new feature, this new feature allows the built-in Windows user unique information supplementary injected into the work process and the Windows security token, so that each individual work with each other resource processes isolation.
When using previous versions of IIS, and sometimes it is difficult to different Web application pool isolation from each other. If more than one Web application pool needs to run the same identity (for example: Network Service), then run you can use the File System object in the code of a Web application pool to access the Web application pools belonging to other profiles, Web pages and other resources. This is because when multiple processes running the Network Service identity, we can not only allow a certain process in which access to a file at the same time prevent other processes from accessing the same file.
However, IIS 7.0 provides isolation mechanism for us. In IIS 7.0, each web application pool has a web application pool configuration files, the configuration file is in the process of starting the application pool automatically generated based on the start situation. By default, these randomly generated configuration file will be saved in C: \ inetpub \ temp \ appPools folder. Each web application pool generated an additional SID (Security Identifier, security identification), and the SID is injected into the w3wp.exe process. The application pool configuration file is to use the access list for access control, allowing only those processes related to the use of SID's visit. W3wp.exe process because each has its own SID, so each application pool configuration files are owned by only one process access to the same SID.
