Giving write permissions to all IIS_USRS group is a bad idea from the security point of view. You dont need to do that and you can go with giving permissions only to system user running the application pool.
If you are using IIS7 (and I guess you do) do the following.
- Open IIS7
- Select Website for which you need to modify permissions
- Go to Basic Settings and see which application pool you’re using.
- Go to Application pools and find application pool from #3
- Find system account used for running this application pool (Identity column)
- Navigate to your storage folder in IIS, select it and click on Edit Permissions (under Actions sub menu on the right)
- Open security tab and add needed permissions only for user you identified in #3
Note #1: if you see ApplicationPoolIdentity in #3 you need to reference this system user like this IIS AppPool\{application_pool_name} . For example IIS AppPool\DefaultAppPool
Note #2: when adding this user make sure to set correct locations in the Select Users or Groups dialog. This needs to be set to local machine because this is local account.
SOURCE: http://stackoverflow.com/a/14654062