Yep - the installation instructions (although somewhat Unix biased) tell you to make sure that the web server user cannot write to the Moodle program directory.
Security and privacy
Moodle hacked, file permissions in IIS
This discussion has been locked because a year has elapsed since the last post. Please start a new discussion topic.
So you think completely removing the first entry (IUSR) will bring it in line with recommendations?
Thanks for the replies, much appriciated.