IIS 7 allows isolation of web application pools from each other by providing the ability to run application pools as separate identities. The identity of an application pool is the name of the service account under which the application pool's worker process runs. Running an application pool under an account that has high-level user rights is a serious security risk. The application pools run under an unique account without having to create and manage domain or local accounts. The name of the application pool account corresponds to the name of the application pool. The ApplicationPoolIdentity can also be used as the account for Anonymous Authentication.

Application pools in IIS 7 run as "NetworkService" by default. NetworkService is a built-in Windows identity. In Windows 7 (IIS 7.5), the default identity of an IIS application pool is "ApplicationPoolIdentity". When WAS hosting your WCF service using NetMsmqBinding or MsmqIntegrationBinding, remember to grant "Receive Message" permission to "IIS APPPOOL\DefaultAppPool" on the MSMQ queue that the service is listening on. Here "IIS APPPOOL\DefaultAppPool" is nothing but "IIS APPPOOL\<name of the application pool on which your application is deployed>". Depending on your application, you may also need to configure the application pool to load the user profile by setting the "LoadUserProfile" setting to "true".