Select App Pool Identity as the predefined security account, or use another account that has least privileges.
Do not assign the Local System account as the identity account. This account has elevated privileges and can pose a significant security risk.
It is recommended that you use the Network Service account combined with impersonation, which allows the worker process to use the credentials of a domain user for file or disk group access. The impersonation account should be a user with rights to the domain to allow NTFS file security. When using domain authentication, the impersonated account requires the Account Operator right for the domain.
For high-security deployments, follow Microsoft best practices. Information about creating a custom least-privileged service account is available in the Microsoft article titled “How To: Create a Service Account for an ASP.NET 2.0 Application,” available at the following address: http://msdn2.microsoft.com/en-us/library/ms998297.aspx
For file and folder permissions required with .NET 4.5, see "ASP.NET Required Access Control Lists (ACLs)," available at: http://msdn.microsoft.com/en-us/library/kwzs111e.aspx