Is there a way to access the file-system outside of the current ASP.NET application, without going around giving IIS_IUSRS permissions? For example, if I wanted this line to work:

logStream = File.Open("C:\logs\app.log", FileMode.Append, FileAccess.Write, FileShare.ReadWrite);

... I'd have to normally grant read/write permission to C:\logs\app.log to the IIS_IUSRS group. This gets annoying for setting the app up on new systems, where the directories which need to be accessed can be in different locations. Is there any way to tell ASP.NET what directories it should have access to?

You can do this using impersonation, but I would urge you not to do this. You're getting into very risky areas as far as security is concerned. If you're not 100% sure of the access permissions of the identity you are impersonating, then you run the very real risk of allowing hackers to get at areas of your server that you did not intend. Setting up ACL's properly is time consuming, and you do NOT want to just use an administrative or super user. You'd want to set up a user specifically for this purpose, and if you're doing that, you're just adding a step to what you're already doing.

A better solution would be to design your app to write to a folder that your application controls. Your installation can create the folder on the machine and grant permissions automatically, rather than relying on an existing system folder.

http://msdn.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_impersonationdelegation

You can also setup your AppPool to run under an account with the appropriate credentials.