How to Create a Service Account for ASP.NET

To create a service account:

• Create a Windows account
• Run the following Aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
  aspnet_regiis.exe -ga machineName\userName
  On Windows 2003, running the Aspnet_regiis.exe -ga command will add the account to the IIS_WPG group. The IIS_WPG group provides the Log on as a batch job permission and ensures that the necessary file system permissions are granted.
• Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone logging onto Windows locally with the account.
• Use IIS Manager to create an application pool running under the new account's identity and assign the ASP.NET application to the pool.

Adopted from http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGPractices0001.asp.