ApplicationHost.config Context

<!-- App Pool -->
<add name="Site - Intranet" autoStart="true" managedRuntimeVersion="v4.0" />
<add name="App - App1" autoStart="true" managedRuntimeVersion="v4.0" />
<add name="App - App2" autoStart="true" managedRuntimeVersion="v2.0" />

<!-- Site -->
<site name="Intranet" id="1" serverAutoStart="true">
    <application path="/" applicationPool="Site - Intranet">
        <virtualDirectory path="/" physicalPath="D:\Web\Sites\Intranet" />
    </application>
    <application path="/Apps/App1" applicationPool="Application - App1">
        <virtualDirectory path="/" physicalPath="D:\Web\Apps\App1" />
    </application>
    <application path="/Apps/App2" applicationPool="Application - App2">
        <virtualDirectory path="/" physicalPath="D:\Web\Apps\App2" />
    </application>
</site>

As you can see, I have one Site with its own 4.0 CLR app pool and identity, which hosts two separate Applications, each with their own app pools and identities. All three are sandboxed into separate file system locations.

NTFS Permissions for AppPoolIdentity Accounts

Permissions must be given to each AppPoolIdentity on its respective folder (ex. IIS AppPool\Site - Intranet needs Read/Execute permissions on D:\Web\Sites\Intranet).

At this point, Application App1 should not be able to read/execute files in it's parent Site's physical folder structure. And vice versa, the hosting Site Intranet should not be able to read/execute files within App1's physical folder structure. Am I understanding that right?

When I visit a child application (ex http://intranet/apps/app1) I get a server error stating that it cannot read the parent Site's web.config file due to insufficient permissions.

If I grant the Application's identity account read/execute permissions on the parent Site's physical folder structure (ex. IIS AppPool\App - App1 access to D:\Web\Sites\Intranet) the issue is resolved.

Question(s)

1. Why does the child Application need to read web.config or any other files from the parent site?

   Note: My parent site's web.config is already breaking child app/vdir inheritance using the <location path="." inheritInChildApplications="false"> technique.

2. Given that this identity account has by nature Write permissions on many folders - IIS AppPoolIdentity and file system write access permissions - doesn't this introduce a security risk? For instance, couldn't any child application now potentially write to the parent Site's App_Data folder or elsewhere?

For #1, child folders/apps inherit the web.config settings of their parent folders by default. I would assume that ASP.NET doesn't check your element before trying to access those parent web.config files. Makes sense to me though it's not what you would want.

For #2, not too sure there. If your app pool identity is a member of users (as your references answer states) then it does have read access to lots of places, but not write to too many. I wouldn't go by what the questioner says there. Not sure about the child writing to parent folders. You should be able to block that with appropriate file system permissions (keeping in mind whatever groups your app pool identity is a member of). I've never had this config so I'm not sure.