Files in a windows based web app

Question

I have a web application running on IIS. Instead of using a database it reads and writes to a couple of XML files. I currently store these files in the Application Data folder in windows. This folder (\Documents and Settings\All Users\Application Data in win 2003) however requires at least "Power Users" privileges to write!

Reads are OK and are granted to everyone but writes are not allowed as long as your not in the one of the more privileges groups on the system. Why is this so? Is there a better place for a application to write to and one that does require me to add the user of the application pool to a more privileged group?

My second question is that if I have file that just needs reading. Can I then read this directly for the folder where I have my web application deployed (say a folder in "Program Files") or should I at all times use the Application Data folder?

The idea here is that this files sometimes need manual change and using the folder where the web application runs from would basically make more since to normal users I think (especially on win 2008 where the Application Data is hard to find).

Answer 1

Reads are OK and are granted to everyone but writes are not allowed as long as your not in the one of the more privileges groups on the system. Why is this so?

You don't want to allow just anyone to write to the file system via a web application.

Using ASP .NET, people usually use the APP_Data folder to store data files that need read/write access to an account such as Network Service.