Yep - the installation instructions (although somewhat Unix biased) tell you to make sure that the web server user cannot write to the Moodle program directory.
So you think completely removing the first entry (IUSR) will bring it in line with recommendations?
Thanks for the replies, much appriciated.
Just change it's permission to 'Read and execute'. What you don't want is write/modify etc.
Sorry, I don't speak Windows but that's the general idea.
Thanks for your time, it's much appreciated