Security question

I'm getting really confused with Windows 2003 Security...

Basically, we have a web app that gets installed with installshield on a customer's server.

Now one of the virtual directories (whose anonymous account is IUSR_MACHINENAME) is called \mydata

In this \mydata folder I have some .xml files that are saved via the web app. (i.e using the DataSet to XML file generators .net has).

I have given the IUSR_MACHINENAME account modify access on this \mydata folder, but when I try to save the .xml files from my web app, a username/password box pops up on the screen asking for Windows Credentials. I have also given modify access to the IIS_WPG account, the NETWORK SERVICE account, even given the EVERYONE account modify access, but this box still pops up!!

Shouldn't giving the IUSR_MACHINENAME account modify access be enough??

What I don't understand is we had this fixed a few days ago and it seemed like the only account requiring permissions was the IUSR account. But now it seems like everything has changed.

Please can someone explain to me what is going on here and why this box pops up!!!

My web.config security settings look like this...

<authentication mode = "Windows" />
<identity impersonate = "true" />
<authorization>
<allow users = "?" />
</authorization>

With

<identity impersonate = "true" />

the app runs under the current user's security role.

Perhaps you should set it to false.

hmm, I was under the impression that setting allow users = "?" meant allow anonymous users, and then use the IUSR account as the anonymous account.

Anyway, I gave the IUSR account modify permissions directly on the folder containing the .xml files. And it works.

I'm just confused as to why the permissions set on the top level folder didn't filter down to the sub folder containing the .xml files...
??