Você pode ler o artigo link . Como a TomTom disse, sim, a segurança mudou muito do que era no IIS 6.0. O artigo descreve detalhadamente as alterações no nível de usuário e grupo que ocorreram no IIS 7.0.
Abaixo, parte do link do site e da ajuda disponível no IIS 7.
IIS_IUSRS group has been granted access on all the necessary file and system resources so that an account, when added to this group, can act as an application pool identity seamlessly. By default, the ApplicationPoolIdentity account is selected. The ApplicationPoolIdentity account is dynamically created when an application pool is started, and therefore this account provides the most security for your applications.