Access Denied 401.1 goes away temporarily after IISRESET
I ran into an interesting issue the other day while helping one of our Support Engineers from Exchange. The customer was getting a 401.1 response when trying to browse a site with anonymous access only. Initially the SE from Exchange and I both had the same hypothesis that the IUSR account password was out of sync and a simple resetting of the password should get things up and going again. Following the steps in my previoius post (see https://blogs.msdn.com/jiruss/archive/2006/05/24/606107.aspx) we proceeded to reset the IUSR account password. I went to IIS manager and right clicked on the site and selected browse expecting things to gloriously start working (as they usually do) but much to my surprise we were presented with the same error again. Hmmmm.
At this point, I decided to check the machines local security policy to make sure the correct user rights were in place to allow our IUSR account to log in. AHA! The IUSR is missing the "Access this computer from the network" right. I proceeded to explain to the customer that in order for the IUSR account to be able to log on, we would need to add this right. The right was currently being pushed out via a domain policy so, we would need to move this machine into a different OU or stop pushing out this right as part of domain policy. It was at this point the customer said "well why does it work without this right if I reset IIS?". This one had me stumped for a bit. I spoke with one of my colleagues about this and he mentioned that he had seen IISRESET cause the IUSR account to start working in IIS for a while but he wasn't sure why. Not satisfied with not understanding this and still not 100% convinced that this could be, I did an IISRESET on the box. What do you know, I can now browse using my IUSR account. What? How can an IISRESET get around this policy?
Well, as it turns out, IISRESET is not "getting around" the policy, but is modifying the policy. I inspected the local security policy after doing the reset and sure enough, our IUSR account had been added to the "Access this computer from the network right". In this case the customer was reseting IIS which was resetting the local policies needed for IIS to function properly but when the domain policy was being pushed out every night our rights were being removed and causing the IUSR logon to fail.
The moral of the story here is that IISRESET not only resets the IIS admin service and worker processes and recreates the default accounts but also resets the default permissions in the local security policy database.