ASP.NET takes advantage of two layers of security: 1) IIS Security, 2)
ASP.NET Security
You may read about the security model here:
http://aspnet.4guysfromrolla.com/articles/031204-1.aspx
What happens is that first, IIS has to authenticate the user. IIS may be set
to one of several different authentication modes, of which one is
"Anonymous". In old ASP, if you selected this option only, the user would
not be authenticated. All the actions of the user would be done using the
"IUSR_MACHINENAME" account.
In ASP.NET you may still be using the same account if you 1) set
authentication in IIS to use Anonymous, and 2) set the
<impersonation="true"> in web.config.
The default, however is <impersonation="false"> which means the "ASPNET"
user account will be used.
If you want to use integrated windows authentication (acces to the website
is done under the users domain or local windows account), then you should
select "Windows Authentication" in IIS and <authentication mode="windows">
(default setting) in web.config. And you should set <impersonation="true">.
Sincerely
Svein Terje Gaup