IIS 6.0 & NTFS permissions

I know this will sound like a newbie question, but I'll ask anyway since have
done some searching and do not see anything that addresses my question
directly.

I have an IIS 6.0 web app running under an App Pool whose identity is a
Domain Account I've added to IIS_WPG. The web app does not use impersonation
(set to "false" in web.config) and should be running as the App Pool Domain
Account. This domain account has been granted all necessary NTFS permissions
to get to the ASPX pages, and the assembly (DLL).

When I lock down the NTFS permissions on the web app's home directory folder
(D:\MyCoolWebApp) to just Administrators and the App Pool Domain Account.
Users are getting a 401.3 error when they browse to the application.
However, when I grant Domain Users READ access to the folder, users may
browse to the site with no problems.

Apparently IIS (or the OS) compares the NTFS permissions against the
identity of the actual client user and not merely the App Pool Identity. Is
this correct or am I confused?

Thanks.

--

Steven Hughes - MCSD