I came across this a while back, but lots of people aren't aware of it.
If you want to specify processmodel, impersonation or
SessionStateDB credentials you (until now) had to put them in the config file as clear
text, which isn't a great thing.
You can restrict the ACLS on the config file to just
the account reading the file which works fine, but this is potentiall prone to error.
To resolve this pain, this hotfix (which is included
inside the .NET framework 1.1) allows you to encrypt credentials in the registry.
FIX: Stronger Credentials for processModel, identity, and sessionState